Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report New Order_1132012_xlxs.exe

Overview

General Information

Sample Name:New Order_1132012_xlxs.exe
Analysis ID:339352
MD5:1dc30f0b34a4f0d1404dc25a1cd54f6e
SHA1:a13d3512000d9f88bc0615e63cf3fe0053eac762
SHA256:80d727cce7ca79da42e564afa636a5d023353bd7f87f9b5328038d8d3c4f071a
Tags:exeNanoCorenVpnRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • New Order_1132012_xlxs.exe (PID: 4132 cmdline: 'C:\Users\user\Desktop\New Order_1132012_xlxs.exe' MD5: 1DC30F0B34A4F0D1404DC25A1CD54F6E)
    • New Order_1132012_xlxs.exe (PID: 6192 cmdline: {path} MD5: 1DC30F0B34A4F0D1404DC25A1CD54F6E)
      • schtasks.exe (PID: 6276 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp53AD.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6328 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5729.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6408 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 1DC30F0B34A4F0D1404DC25A1CD54F6E)
    • dhcpmon.exe (PID: 6732 cmdline: {path} MD5: 1DC30F0B34A4F0D1404DC25A1CD54F6E)
  • dhcpmon.exe (PID: 6904 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 1DC30F0B34A4F0D1404DC25A1CD54F6E)
    • dhcpmon.exe (PID: 1928 cmdline: {path} MD5: 1DC30F0B34A4F0D1404DC25A1CD54F6E)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.140.53.251"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.275464694.0000000002401000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000015.00000002.314926958.0000000003A39000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000015.00000002.314926958.0000000003A39000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x43555:$a: NanoCore
      • 0x435ae:$a: NanoCore
      • 0x435eb:$a: NanoCore
      • 0x43664:$a: NanoCore
      • 0x56d0f:$a: NanoCore
      • 0x56d24:$a: NanoCore
      • 0x56d59:$a: NanoCore
      • 0x6fcdb:$a: NanoCore
      • 0x6fcf0:$a: NanoCore
      • 0x6fd25:$a: NanoCore
      • 0x435b7:$b: ClientPlugin
      • 0x435f4:$b: ClientPlugin
      • 0x43ef2:$b: ClientPlugin
      • 0x43eff:$b: ClientPlugin
      • 0x56acb:$b: ClientPlugin
      • 0x56ae6:$b: ClientPlugin
      • 0x56b16:$b: ClientPlugin
      • 0x56d2d:$b: ClientPlugin
      • 0x56d62:$b: ClientPlugin
      • 0x6fa97:$b: ClientPlugin
      • 0x6fab2:$b: ClientPlugin
      00000009.00000002.279881959.0000000003E49000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x148b65:$x1: NanoCore.ClientPluginHost
      • 0x17b585:$x1: NanoCore.ClientPluginHost
      • 0x148ba2:$x2: IClientNetworkHost
      • 0x17b5c2:$x2: IClientNetworkHost
      • 0x14c6d5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0x17f0f5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000009.00000002.279881959.0000000003E49000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 57 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.New Order_1132012_xlxs.exe.52d0000.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xd9ad:$x1: NanoCore.ClientPluginHost
        • 0xd9da:$x2: IClientNetworkHost
        4.2.New Order_1132012_xlxs.exe.52d0000.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xd9ad:$x2: NanoCore.ClientPluginHost
        • 0xea88:$s4: PipeCreated
        • 0xd9c7:$s5: IClientLoggingHost
        4.2.New Order_1132012_xlxs.exe.52d0000.4.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          4.2.New Order_1132012_xlxs.exe.4e90000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0xe75:$x1: NanoCore.ClientPluginHost
          • 0xe8f:$x2: IClientNetworkHost
          4.2.New Order_1132012_xlxs.exe.4e90000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0xe75:$x2: NanoCore.ClientPluginHost
          • 0x1261:$s3: PipeExists
          • 0x1136:$s4: PipeCreated
          • 0xeb0:$s5: IClientLoggingHost
          Click to see the 19 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\New Order_1132012_xlxs.exe, ProcessId: 6192, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp53AD.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp53AD.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\New Order_1132012_xlxs.exe, ParentProcessId: 6192, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp53AD.tmp', ProcessId: 6276

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: New Order_1132012_xlxs.exe.6740.14.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.140.53.251"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 28%
          Multi AV Scanner detection for submitted fileShow sources
          Source: New Order_1132012_xlxs.exeReversingLabs: Detection: 28%
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000015.00000002.314926958.0000000003A39000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.279881959.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.298640803.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.632780032.00000000052D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.625065981.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.291660403.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.631227388.0000000003A09000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.292460519.00000000040E9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.314829401.0000000002A31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.292360574.00000000030E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.292801706.0000000003C39000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.291345804.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.276289789.0000000003409000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.292643698.0000000002C31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.313795834.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.245920133.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6740, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6192, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 1928, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6732, type: MEMORY
          Source: Yara matchFile source: 4.2.New Order_1132012_xlxs.exe.52d0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.New Order_1132012_xlxs.exe.52d0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: New Order_1132012_xlxs.exeJoe Sandbox ML: detected
          Source: 13.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 4.2.New Order_1132012_xlxs.exe.52d0000.4.unpackAvira: Label: TR/NanoCore.fadte
          Source: 21.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 14.2.New Order_1132012_xlxs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: New Order_1132012_xlxs.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: New Order_1132012_xlxs.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_052D9690
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h10_2_04A89690

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorIPs: 185.140.53.251
          Source: global trafficTCP traffic: 192.168.2.5:49722 -> 185.140.53.251:1995
          Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: dhcpmon.exe, 0000000A.00000002.275179535.00000000008A8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.631227388.0000000003A09000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000015.00000002.314926958.0000000003A39000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.279881959.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.298640803.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.632780032.00000000052D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.625065981.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.291660403.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.631227388.0000000003A09000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.292460519.00000000040E9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.314829401.0000000002A31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.292360574.00000000030E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.292801706.0000000003C39000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.291345804.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.276289789.0000000003409000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.292643698.0000000002C31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.313795834.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.245920133.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6740, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6192, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 1928, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6732, type: MEMORY
          Source: Yara matchFile source: 4.2.New Order_1132012_xlxs.exe.52d0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.New Order_1132012_xlxs.exe.52d0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000015.00000002.314926958.0000000003A39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.279881959.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.279881959.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000F.00000002.298640803.00000000036B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000F.00000002.298640803.00000000036B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.632780032.00000000052D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000004.00000002.632470140.0000000004E90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000004.00000002.625065981.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000004.00000002.625065981.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000E.00000002.291660403.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000E.00000002.291660403.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.631227388.0000000003A09000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000D.00000002.292460519.00000000040E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000015.00000002.314829401.0000000002A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000D.00000002.292360574.00000000030E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000E.00000002.292801706.0000000003C39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000D.00000002.291345804.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000D.00000002.291345804.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000A.00000002.276289789.0000000003409000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000A.00000002.276289789.0000000003409000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000E.00000002.292643698.0000000002C31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000015.00000002.313795834.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000015.00000002.313795834.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.245920133.0000000003D49000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.245920133.0000000003D49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6740, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6740, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6192, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6192, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: dhcpmon.exe PID: 1928, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 1928, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: dhcpmon.exe PID: 6732, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 6732, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 4.2.New Order_1132012_xlxs.exe.52d0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 4.2.New Order_1132012_xlxs.exe.4e90000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 4.2.New Order_1132012_xlxs.exe.52d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 14.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 14.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: New Order_1132012_xlxs.exe
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 0_2_0136CAE40_2_0136CAE4
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 0_2_0136EEB00_2_0136EEB0
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 0_2_0136EEA30_2_0136EEA3
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 0_2_052D86580_2_052D8658
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 0_2_052D0AE00_2_052D0AE0
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 0_2_052D96900_2_052D9690
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 0_2_052DA5380_2_052DA538
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 0_2_052DA5480_2_052DA548
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 0_2_052DA7E80_2_052DA7E8
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 0_2_052D86480_2_052D8648
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 0_2_052D0AD30_2_052D0AD3
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 0_2_052D96800_2_052D9680
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 4_2_0104E4714_2_0104E471
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 4_2_0104E4804_2_0104E480
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 4_2_0104BBD44_2_0104BBD4
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 4_2_029A97884_2_029A9788
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 4_2_029AF5F84_2_029AF5F8
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 4_2_029A35A84_2_029A35A8
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 4_2_029AA5D04_2_029AA5D0
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 4_2_029AA5F84_2_029AA5F8
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 4_2_063600404_2_06360040
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 9_2_0148CAE49_2_0148CAE4
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 9_2_0148EEAB9_2_0148EEAB
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 9_2_0148EEB09_2_0148EEB0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0085CAE410_2_0085CAE4
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0085EEAA10_2_0085EEAA
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0085EEB010_2_0085EEB0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04A8865810_2_04A88658
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04A80AE010_2_04A80AE0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04A8969010_2_04A89690
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04A8A53810_2_04A8A538
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04A8A54810_2_04A8A548
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04A8864810_2_04A88648
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04A8A7E810_2_04A8A7E8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04A80AD210_2_04A80AD2
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04A8968010_2_04A89680
          Source: New Order_1132012_xlxs.exeBinary or memory string: OriginalFilename vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exe, 00000000.00000002.249375207.0000000005E00000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exeBinary or memory string: OriginalFilename vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exeBinary or memory string: OriginalFilename vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exeBinary or memory string: OriginalFilename vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.633834300.0000000006870000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.633553683.00000000061F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.631227388.0000000003A09000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.631227388.0000000003A09000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.633122925.0000000005DC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exeBinary or memory string: OriginalFilename vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exe, 00000009.00000002.283641532.0000000005380000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exe, 00000009.00000002.283632147.0000000005370000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exe, 00000009.00000002.284265973.0000000005EE0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exe, 00000009.00000002.276116621.0000000001259000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exe, 0000000E.00000002.292801706.0000000003C39000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exe, 0000000E.00000002.292801706.0000000003C39000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exe, 0000000E.00000002.292801706.0000000003C39000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exeBinary or memory string: OriginalFilename3FU.exeR vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000015.00000002.314926958.0000000003A39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.279881959.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.279881959.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000F.00000002.298640803.00000000036B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000F.00000002.298640803.00000000036B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.632780032.00000000052D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000004.00000002.632780032.00000000052D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000004.00000002.632470140.0000000004E90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000004.00000002.632470140.0000000004E90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000004.00000002.625065981.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000004.00000002.625065981.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000E.00000002.291660403.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000E.00000002.291660403.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.631227388.0000000003A09000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000D.00000002.292460519.00000000040E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000015.00000002.314829401.0000000002A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000D.00000002.292360574.00000000030E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000E.00000002.292801706.0000000003C39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000D.00000002.291345804.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000D.00000002.291345804.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000A.00000002.276289789.0000000003409000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000A.00000002.276289789.0000000003409000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000E.00000002.292643698.0000000002C31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000015.00000002.313795834.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000015.00000002.313795834.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000002.245920133.0000000003D49000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.245920133.0000000003D49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6740, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6740, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6192, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6192, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: dhcpmon.exe PID: 1928, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: dhcpmon.exe PID: 1928, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: dhcpmon.exe PID: 6732, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: dhcpmon.exe PID: 6732, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 4.2.New Order_1132012_xlxs.exe.52d0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 4.2.New Order_1132012_xlxs.exe.52d0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 4.2.New Order_1132012_xlxs.exe.4e90000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 4.2.New Order_1132012_xlxs.exe.4e90000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 4.2.New Order_1132012_xlxs.exe.52d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 4.2.New Order_1132012_xlxs.exe.52d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 14.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 14.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 14.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: New Order_1132012_xlxs.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: dhcpmon.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 10.0.dhcpmon.exe.90000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: 10.0.dhcpmon.exe.90000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 10.0.dhcpmon.exe.90000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 4.2.New Order_1132012_xlxs.exe.4e0000.1.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: 4.2.New Order_1132012_xlxs.exe.4e0000.1.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 4.2.New Order_1132012_xlxs.exe.4e0000.1.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 1.2.New Order_1132012_xlxs.exe.10000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: 1.2.New Order_1132012_xlxs.exe.10000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 1.2.New Order_1132012_xlxs.exe.10000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: New Order_1132012_xlxs.exe, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: New Order_1132012_xlxs.exe, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: New Order_1132012_xlxs.exe, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 9.2.New Order_1132012_xlxs.exe.ac0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: 9.2.New Order_1132012_xlxs.exe.ac0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 9.2.New Order_1132012_xlxs.exe.ac0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 9.0.New Order_1132012_xlxs.exe.ac0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: 9.0.New Order_1132012_xlxs.exe.ac0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 9.0.New Order_1132012_xlxs.exe.ac0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 0.0.New Order_1132012_xlxs.exe.9a0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: 0.0.New Order_1132012_xlxs.exe.9a0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 0.0.New Order_1132012_xlxs.exe.9a0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 2.0.New Order_1132012_xlxs.exe.2f0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: 2.0.New Order_1132012_xlxs.exe.2f0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 2.0.New Order_1132012_xlxs.exe.2f0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 1.0.New Order_1132012_xlxs.exe.10000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: 1.0.New Order_1132012_xlxs.exe.10000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 1.0.New Order_1132012_xlxs.exe.10000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: dhcpmon.exe.4.dr, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: dhcpmon.exe.4.dr, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: dhcpmon.exe.4.dr, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 4.0.New Order_1132012_xlxs.exe.4e0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: 4.0.New Order_1132012_xlxs.exe.4e0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 4.0.New Order_1132012_xlxs.exe.4e0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 2.2.New Order_1132012_xlxs.exe.2f0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: 2.2.New Order_1132012_xlxs.exe.2f0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 2.2.New Order_1132012_xlxs.exe.2f0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 0.2.New Order_1132012_xlxs.exe.9a0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: 0.2.New Order_1132012_xlxs.exe.9a0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 0.2.New Order_1132012_xlxs.exe.9a0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: classification engineClassification label: mal100.troj.evad.winEXE@22/8@0/1
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Order_1132012_xlxs.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6336:120:WilError_01
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ed3264a4-4124-4ea4-a12f-e13701477dbb}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:120:WilError_01
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeFile created: C:\Users\user\AppData\Local\Temp\tmp53AD.tmpJump to behavior
          Source: New Order_1132012_xlxs.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: New Order_1132012_xlxs.exeReversingLabs: Detection: 28%
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeFile read: C:\Users\user\Desktop\New Order_1132012_xlxs.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\New Order_1132012_xlxs.exe 'C:\Users\user\Desktop\New Order_1132012_xlxs.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\New Order_1132012_xlxs.exe {path}
          Source: unknownProcess created: C:\Users\user\Desktop\New Order_1132012_xlxs.exe {path}
          Source: unknownProcess created: C:\Users\user\Desktop\New Order_1132012_xlxs.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp53AD.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5729.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\New Order_1132012_xlxs.exe 'C:\Users\user\Desktop\New Order_1132012_xlxs.exe' 0
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: unknownProcess created: C:\Users\user\Desktop\New Order_1132012_xlxs.exe {path}
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess created: C:\Users\user\Desktop\New Order_1132012_xlxs.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess created: C:\Users\user\Desktop\New Order_1132012_xlxs.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess created: C:\Users\user\Desktop\New Order_1132012_xlxs.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp53AD.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5729.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess created: C:\Users\user\Desktop\New Order_1132012_xlxs.exe {path}Jump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}Jump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: New Order_1132012_xlxs.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: New Order_1132012_xlxs.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: New Order_1132012_xlxs.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: New Order_1132012_xlxs.exe, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.New Order_1132012_xlxs.exe.9a0000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.New Order_1132012_xlxs.exe.9a0000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.New Order_1132012_xlxs.exe.10000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.New Order_1132012_xlxs.exe.10000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.2.New Order_1132012_xlxs.exe.2f0000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.0.New Order_1132012_xlxs.exe.2f0000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: dhcpmon.exe.4.dr, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.New Order_1132012_xlxs.exe.4e0000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.New Order_1132012_xlxs.exe.4e0000.1.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.2.New Order_1132012_xlxs.exe.ac0000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.0.New Order_1132012_xlxs.exe.ac0000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 10.0.dhcpmon.exe.90000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Binary contains a suspicious time stampShow sources
          Source: initial sampleStatic PE information: 0x8DE54189 [Fri Jun 9 09:06:17 2045 UTC]
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 4_2_029AA20C push FFFFFF8Bh; iretd 4_2_029AA1CC
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 4_2_029A69FA push esp; retf 4_2_029A6A01
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 4_2_029A69F8 pushad ; retf 4_2_029A69F9
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04A8F038 push 5000005Eh; retn 0004h10_2_04A8F051
          Source: initial sampleStatic PE information: section name: .text entropy: 7.89221462545
          Source: initial sampleStatic PE information: section name: .text entropy: 7.89221462545
          Source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp53AD.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeFile opened: C:\Users\user\Desktop\New Order_1132012_xlxs.exe:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 0000000A.00000002.275464694.0000000002401000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.296751787.00000000026B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.277332369.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6904, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: New Order_1132012_xlxs.exe PID: 4132, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6408, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6396, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: New Order_1132012_xlxs.exe, 00000000.00000002.245196991.0000000002D83000.00000004.00000001.sdmp, New Order_1132012_xlxs.exe, 00000009.00000002.277711497.0000000002EB9000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275464694.0000000002401000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.297020002.0000000002729000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: New Order_1132012_xlxs.exe, 00000000.00000002.245196991.0000000002D83000.00000004.00000001.sdmp, New Order_1132012_xlxs.exe, 00000009.00000002.277711497.0000000002EB9000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275464694.0000000002401000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.297020002.0000000002729000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeWindow / User API: threadDelayed 6671Jump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeWindow / User API: threadDelayed 2671Jump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeWindow / User API: foregroundWindowGot 1292Jump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeWindow / User API: foregroundWindowGot 446Jump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exe TID: 2252Thread sleep time: -31500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exe TID: 6036Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exe TID: 6380Thread sleep time: -5534023222112862s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exe TID: 6400Thread sleep time: -31500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exe TID: 6428Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6412Thread sleep time: -31500s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6452Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6816Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exe TID: 6852Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6908Thread sleep time: -31500s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6980Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6180Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: dhcpmon.exe, 0000000F.00000002.297020002.0000000002729000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.633834300.0000000006870000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: dhcpmon.exe, 0000000F.00000002.297020002.0000000002729000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: dhcpmon.exe, 0000000F.00000002.297020002.0000000002729000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: dhcpmon.exe, 0000000F.00000002.297020002.0000000002729000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: dhcpmon.exe, 0000000F.00000002.297020002.0000000002729000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.633834300.0000000006870000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.633834300.0000000006870000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: dhcpmon.exe, 0000000F.00000002.297020002.0000000002729000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: dhcpmon.exe, 0000000F.00000002.297020002.0000000002729000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: dhcpmon.exe, 0000000F.00000002.297020002.0000000002729000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: dhcpmon.exe, 0000000F.00000002.297020002.0000000002729000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: dhcpmon.exe, 0000000F.00000002.297020002.0000000002729000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.627189646.0000000000BC0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.633834300.0000000006870000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess created: C:\Users\user\Desktop\New Order_1132012_xlxs.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess created: C:\Users\user\Desktop\New Order_1132012_xlxs.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess created: C:\Users\user\Desktop\New Order_1132012_xlxs.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp53AD.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5729.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeProcess created: C:\Users\user\Desktop\New Order_1132012_xlxs.exe {path}Jump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}Jump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}Jump to behavior
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.632998632.0000000005AFE000.00000004.00000010.sdmpBinary or memory string: Program Manager
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.627949321.0000000001400000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.627949321.0000000001400000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.627949321.0000000001400000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.630797435.0000000002D9B000.00000004.00000001.sdmpBinary or memory string: Program Managerx
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.627949321.0000000001400000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.627949321.0000000001400000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.633987483.0000000006A9E000.00000004.00000001.sdmpBinary or memory string: Program Manager ]
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.633600535.000000000633E000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeQueries volume information: C:\Users\user\Desktop\New Order_1132012_xlxs.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeQueries volume information: C:\Users\user\Desktop\New Order_1132012_xlxs.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeQueries volume information: C:\Users\user\Desktop\New Order_1132012_xlxs.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeQueries volume information: C:\Users\user\Desktop\New Order_1132012_xlxs.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000015.00000002.314926958.0000000003A39000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.279881959.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.298640803.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.632780032.00000000052D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.625065981.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.291660403.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.631227388.0000000003A09000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.292460519.00000000040E9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.314829401.0000000002A31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.292360574.00000000030E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.292801706.0000000003C39000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.291345804.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.276289789.0000000003409000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.292643698.0000000002C31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.313795834.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.245920133.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6740, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6192, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 1928, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6732, type: MEMORY
          Source: Yara matchFile source: 4.2.New Order_1132012_xlxs.exe.52d0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.New Order_1132012_xlxs.exe.52d0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Detected Nanocore RatShow sources
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.625065981.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.631227388.0000000003A09000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: dhcpmon.exe, 0000000D.00000002.292460519.00000000040E9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 0000000D.00000002.292460519.00000000040E9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: New Order_1132012_xlxs.exe, 0000000E.00000002.291660403.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: New Order_1132012_xlxs.exe, 0000000E.00000002.292801706.0000000003C39000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: dhcpmon.exe, 00000015.00000002.314926958.0000000003A39000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 00000015.00000002.314926958.0000000003A39000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000015.00000002.314926958.0000000003A39000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.279881959.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.298640803.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.632780032.00000000052D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.625065981.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.291660403.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.631227388.0000000003A09000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.292460519.00000000040E9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.314829401.0000000002A31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.292360574.00000000030E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.292801706.0000000003C39000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.291345804.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.276289789.0000000003409000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.292643698.0000000002C31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.313795834.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.245920133.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6740, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6192, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 1928, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6732, type: MEMORY
          Source: Yara matchFile source: 4.2.New Order_1132012_xlxs.exe.52d0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.New Order_1132012_xlxs.exe.52d0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection12Masquerading2Input Capture21Security Software Discovery21Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Timestomp1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 339352 Sample: New Order_1132012_xlxs.exe Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Multi AV Scanner detection for dropped file 2->56 58 14 other signatures 2->58 8 New Order_1132012_xlxs.exe 3 2->8         started        11 New Order_1132012_xlxs.exe 2 2->11         started        13 dhcpmon.exe 2 2->13         started        15 dhcpmon.exe 3 2->15         started        process3 file4 48 C:\Users\...48ew Order_1132012_xlxs.exe.log, ASCII 8->48 dropped 17 New Order_1132012_xlxs.exe 1 12 8->17         started        22 New Order_1132012_xlxs.exe 8->22         started        24 New Order_1132012_xlxs.exe 8->24         started        26 New Order_1132012_xlxs.exe 2 11->26         started        28 dhcpmon.exe 13->28         started        30 dhcpmon.exe 2 15->30         started        process5 dnsIp6 50 185.140.53.251, 1995, 49722, 49725 DAVID_CRAIGGG Sweden 17->50 40 C:\Program Files (x86)\...\dhcpmon.exe, PE32 17->40 dropped 42 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 17->42 dropped 44 C:\Users\user\AppData\Local\...\tmp53AD.tmp, XML 17->44 dropped 46 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 17->46 dropped 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->60 32 schtasks.exe 1 17->32         started        34 schtasks.exe 1 17->34         started        file7 signatures8 process9 process10 36 conhost.exe 32->36         started        38 conhost.exe 34->38         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          New Order_1132012_xlxs.exe28%ReversingLabsWin32.Trojan.Wacatac
          New Order_1132012_xlxs.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe28%ReversingLabsWin32.Trojan.Wacatac

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          13.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          4.2.New Order_1132012_xlxs.exe.52d0000.4.unpack100%AviraTR/NanoCore.fadteDownload File
          21.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          4.2.New Order_1132012_xlxs.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          14.2.New Order_1132012_xlxs.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public

          IPDomainCountryFlagASNASN NameMalicious
          185.140.53.251
          		unknownSweden
          		209623DAVID_CRAIGGGtrue

          General Information

          Joe Sandbox Version:31.0.0 Red Diamond
          Analysis ID:339352
          Start date:13.01.2021
          Start time:21:29:38
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 14m 26s
          Hypervisor based Inspection enabled:false
          Report type:full
          Sample file name:New Order_1132012_xlxs.exe
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:40
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@22/8@0/1
          EGA Information:Failed
          HDC Information:
          • Successful, ratio: 0.5% (good quality ratio 0.5%)
          • Quality average: 80.9%
          • Quality standard deviation: 31.5%
          HCA Information:
          • Successful, ratio: 99%
          • Number of executed functions: 94
          • Number of non-executed functions: 6
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Found application associated with file extension: .exe
          Warnings:
          Show All
          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
          • Report creation exceeded maximum time and may have missing disassembly code information.
          • Report size exceeded maximum capacity and may have missing behavior information.
          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/339352/sample/New Order_1132012_xlxs.exe

          Simulations

          Behavior and APIs

          TimeTypeDescription
          21:30:31API Interceptor1452x Sleep call for process: New Order_1132012_xlxs.exe modified
          21:30:40Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\New Order_1132012_xlxs.exe" s>$(Arg0)
          21:30:40Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
          21:30:41AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          21:30:42API Interceptor2x Sleep call for process: dhcpmon.exe modified

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          185.140.53.251URGENT #RFQ 102720.exeGet hashmaliciousBrowse
            URGENT #RFQ.exeGet hashmaliciousBrowse

              Domains

              No context

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              DAVID_CRAIGGGCONTRACT_87908.exeGet hashmaliciousBrowse
              • 91.193.75.182
              Geno_Quotation,pdf.exeGet hashmaliciousBrowse
              • 185.140.53.135
              Quote_45893216_33661100.pdf.exeGet hashmaliciousBrowse
              • 91.193.75.185
              DHL Delivery Shipping, PDF.exeGet hashmaliciousBrowse
              • 185.244.30.18
              Proof of Payment.exeGet hashmaliciousBrowse
              • 185.140.53.183
              INVOICE-0966542R.exeGet hashmaliciousBrowse
              • 185.165.153.116
              Payment notification.exeGet hashmaliciousBrowse
              • 185.140.53.146
              xNrobnGMNI.exeGet hashmaliciousBrowse
              • 91.193.75.94
              E8Jkw96qFU.exeGet hashmaliciousBrowse
              • 185.140.53.149
              PAYMENT-REFUND-DOCUMENTS-00J-0S3.exeGet hashmaliciousBrowse
              • 185.140.53.185
              Scan-Documents0012HDU5063GD7G.exeGet hashmaliciousBrowse
              • 185.140.53.185
              PO20002106.exeGet hashmaliciousBrowse
              • 185.140.53.135
              Shipping Document PL&BL003534,pdf.exeGet hashmaliciousBrowse
              • 185.244.30.19
              Shipping Document PLBL003534.xlsGet hashmaliciousBrowse
              • 185.244.30.19
              DHL1.exeGet hashmaliciousBrowse
              • 185.140.53.221
              New Order.exeGet hashmaliciousBrowse
              • 185.140.53.227
              988119028872673623l.exeGet hashmaliciousBrowse
              • 185.140.53.163
              SecuriteInfo.com.Fareit-FZO54A4BE7037EC.exeGet hashmaliciousBrowse
              • 185.140.53.149
              QUOTATION2021_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exeGet hashmaliciousBrowse
              • 185.140.53.211
              NEWQUOTATION_RFQ#38787_A_Bich_Thien_Trading_Co_Ltd.exeGet hashmaliciousBrowse
              • 185.140.53.211

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Process:C:\Users\user\Desktop\New Order_1132012_xlxs.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):639488
              Entropy (8bit):7.8841839406073335
              Encrypted:false
              SSDEEP:12288:lS8VEI79a0l4Erl2+2EMlJSZ4C2UiVkEpW1S4W:vVNxjuEd5py9pw
              MD5:1DC30F0B34A4F0D1404DC25A1CD54F6E
              SHA1:A13D3512000D9F88BC0615E63CF3FE0053EAC762
              SHA-256:80D727CCE7CA79DA42E564AFA636A5D023353BD7F87F9B5328038D8D3C4F071A
              SHA-512:FC0E518768A66BAC569F3F1CCAC286B3440E5E3486451402F4C7F9D036F114B89576956B8E5A31DAEAC26B5BD0F9BBC6D8F9C2DDFFB5BD77EA7A33660E1626C7
              Malicious:true
              Antivirus:
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 28%
              Reputation:low
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....A...............0.................. ........@.. ....................... ............@.................................d...O...................................H................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H...........T.......K...8K...............................................0..B........s.........(.......(.....(.......(....o.......s....(.......(.....*".(.....*..0..............r...p..(......9.........s........s ......8........a...%..=.o!.........o"...ri..p(#.......,q.....o"....(#.......,Z.+:....a...%..=.o!.........o"...r{..p(#.......,.......($...&...o%...%.r...po&..........-......o%...%........:L......&......o'........&.......+...*.......,......................0...........s(.
              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
              Process:C:\Users\user\Desktop\New Order_1132012_xlxs.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:true
              Reputation:high, very likely benign file
              Preview: [ZoneTransfer]....ZoneId=0
              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Order_1132012_xlxs.exe.log
              Process:C:\Users\user\Desktop\New Order_1132012_xlxs.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1216
              Entropy (8bit):5.355304211458859
              Encrypted:false
              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
              MD5:FED34146BF2F2FA59DCF8702FCC8232E
              SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
              SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
              SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
              Malicious:true
              Reputation:high, very likely benign file
              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1216
              Entropy (8bit):5.355304211458859
              Encrypted:false
              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
              MD5:FED34146BF2F2FA59DCF8702FCC8232E
              SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
              SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
              SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
              Malicious:false
              Reputation:high, very likely benign file
              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
              C:\Users\user\AppData\Local\Temp\tmp53AD.tmp
              Process:C:\Users\user\Desktop\New Order_1132012_xlxs.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1313
              Entropy (8bit):5.119062090819913
              Encrypted:false
              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0PB3xtn:cbk4oL600QydbQxIYODOLedq3SB3j
              MD5:AA5CEF070BB24DB9CDC1F900F88844F8
              SHA1:428035BD5B8FB743962530739FB29AB78F2DD6AC
              SHA-256:4D6B3200CF59C3AE262E1397B549AC370A01DC7C6C1EA26994CBFB445CC4173C
              SHA-512:4DA38C4D44123429FB6F503CBB3FA11C079AAA38192BBDBCD4678A56D01A2EFF71E6DF7F17A006CB436278E52D097B8B6E411BEEDBB5451EC42863EB41A01A1A
              Malicious:true
              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
              C:\Users\user\AppData\Local\Temp\tmp5729.tmp
              Process:C:\Users\user\Desktop\New Order_1132012_xlxs.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:modified
              Size (bytes):1310
              Entropy (8bit):5.109425792877704
              Encrypted:false
              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
              MD5:5C2F41CFC6F988C859DA7D727AC2B62A
              SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
              SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
              SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
              Malicious:false
              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
              Process:C:\Users\user\Desktop\New Order_1132012_xlxs.exe
              File Type:ISO-8859 text, with NEL line terminators
              Category:dropped
              Size (bytes):8
              Entropy (8bit):3.0
              Encrypted:false
              SSDEEP:3:AvP:AvP
              MD5:AE5C54A5CD39B0545B4A937B7A47F40D
              SHA1:485FC132EBC3F5B7FF7D1504524D890B30C5A438
              SHA-256:59E03BF0AFB302A7DCF3B3DDED6C201B97DDC2833B293197B3AEF7DD5AD569B7
              SHA-512:08232E4BBFE788E4223FF1CC955173C6132EF5D32FEF313C1AD379112A7C90E83DA76124A52956A0BE587BB2BCF060E5784AF9BC6AA7B5D31362F60962859DC6
              Malicious:true
              Preview: ...M..H
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
              Process:C:\Users\user\Desktop\New Order_1132012_xlxs.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):50
              Entropy (8bit):4.496174630069642
              Encrypted:false
              SSDEEP:3:oNUWJRWrgA5S4An:oNNJACn
              MD5:B98B3AAB737B53E93C07EC515EDC5E0A
              SHA1:A8E962EF9CF7566544A114FF8CABA54B28CEF688
              SHA-256:B45E04ED07900E534B6F49F3A5DD28660A2A4B4FC778E88E05EB8AC3F3CF726B
              SHA-512:D0CC3AAEE9843B963FF6C816335BEF56A05551E944020FA8B5D0B6F4B136039F9F90D88F26756A716693D39EFBDEE5B12ACAED750C5CE98790FF259980309BA5
              Malicious:false
              Preview: C:\Users\user\Desktop\New Order_1132012_xlxs.exe

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Entropy (8bit):7.8841839406073335
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              • Win32 Executable (generic) a (10002005/4) 49.75%
              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
              • Windows Screen Saver (13104/52) 0.07%
              • Generic Win/DOS Executable (2004/3) 0.01%
              File name:New Order_1132012_xlxs.exe
              File size:639488
              MD5:1dc30f0b34a4f0d1404dc25a1cd54f6e
              SHA1:a13d3512000d9f88bc0615e63cf3fe0053eac762
              SHA256:80d727cce7ca79da42e564afa636a5d023353bd7f87f9b5328038d8d3c4f071a
              SHA512:fc0e518768a66bac569f3f1ccac286b3440e5e3486451402f4c7f9d036f114b89576956b8e5a31daeac26b5bd0f9bbc6d8f9c2ddffb5bd77ea7a33660e1626c7
              SSDEEP:12288:lS8VEI79a0l4Erl2+2EMlJSZ4C2UiVkEpW1S4W:vVNxjuEd5py9pw
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....A................0.................. ........@.. ....................... ............@................................

              File Icon

              Icon Hash:00828e8e8686b000

              Static PE Info

              General

              Entrypoint:0x49d6b6
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Time Stamp:0x8DE54189 [Fri Jun 9 09:06:17 2045 UTC]
              TLS Callbacks:
              CLR (.Net) Version:v4.0.30319
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

              Entrypoint Preview

              Instruction
              jmp dword ptr [00402000h]
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x9d6640x4f.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x9e0000x5d4.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0xa00000xc.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x9d6480x1c.text
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000x9b6bc0x9b800False0.918877800945data7.89221462545IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .rsrc0x9e0000x5d40x600False0.427734375data4.15154877822IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0xa00000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_VERSION0x9e0900x344data
              RT_MANIFEST0x9e3e40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

              Imports

              DLLImport
              mscoree.dll_CorExeMain

              Version Infos

              DescriptionData
              Translation0x0000 0x04b0
              LegalCopyrightCopyright 2019
              Assembly Version1.0.0.0
              InternalName3.exe
              FileVersion1.0.0.0
              CompanyName
              LegalTrademarks
              Comments
              ProductNameMultiUserParentalControl
              ProductVersion1.0.0.0
              FileDescriptionMultiUserParentalControl
              OriginalFilename3.exe

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jan 13, 2021 21:30:40.972897053 CET497221995192.168.2.5185.140.53.251
              Jan 13, 2021 21:30:41.021497965 CET199549722185.140.53.251192.168.2.5
              Jan 13, 2021 21:30:41.642374992 CET497221995192.168.2.5185.140.53.251
              Jan 13, 2021 21:30:41.691227913 CET199549722185.140.53.251192.168.2.5
              Jan 13, 2021 21:30:42.252154112 CET497221995192.168.2.5185.140.53.251
              Jan 13, 2021 21:30:42.300782919 CET199549722185.140.53.251192.168.2.5
              Jan 13, 2021 21:30:49.396212101 CET497251995192.168.2.5185.140.53.251
              Jan 13, 2021 21:30:49.444942951 CET199549725185.140.53.251192.168.2.5
              Jan 13, 2021 21:30:49.955552101 CET497251995192.168.2.5185.140.53.251
              Jan 13, 2021 21:30:50.004475117 CET199549725185.140.53.251192.168.2.5
              Jan 13, 2021 21:30:50.643218994 CET497251995192.168.2.5185.140.53.251
              Jan 13, 2021 21:30:50.691741943 CET199549725185.140.53.251192.168.2.5
              Jan 13, 2021 21:30:54.707335949 CET497271995192.168.2.5185.140.53.251
              Jan 13, 2021 21:30:54.755932093 CET199549727185.140.53.251192.168.2.5
              Jan 13, 2021 21:30:55.455965042 CET497271995192.168.2.5185.140.53.251
              Jan 13, 2021 21:30:55.504695892 CET199549727185.140.53.251192.168.2.5
              Jan 13, 2021 21:30:56.147284031 CET497271995192.168.2.5185.140.53.251
              Jan 13, 2021 21:30:56.196141958 CET199549727185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:00.208256006 CET497301995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:00.257067919 CET199549730185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:00.894015074 CET497301995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:00.942729950 CET199549730185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:01.487787962 CET497301995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:01.537045002 CET199549730185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:05.558157921 CET497311995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:05.606755018 CET199549731185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:06.285069942 CET497311995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:06.333616972 CET199549731185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:06.894527912 CET497311995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:06.944602966 CET199549731185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:10.958761930 CET497331995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:11.007925987 CET199549733185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:11.598006964 CET497331995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:11.646727085 CET199549733185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:12.191817999 CET497331995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:12.241919994 CET199549733185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:16.256026030 CET497361995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:16.304826021 CET199549736185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:16.817116976 CET497361995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:16.865966082 CET199549736185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:17.379668951 CET497361995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:17.428304911 CET199549736185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:21.444639921 CET497371995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:21.493226051 CET199549737185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:22.020674944 CET497371995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:22.073520899 CET199549737185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:22.614516020 CET497371995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:22.662916899 CET199549737185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:26.733237028 CET497431995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:26.781857014 CET199549743185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:27.427428961 CET497431995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:27.475924969 CET199549743185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:28.021718979 CET497431995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:28.070516109 CET199549743185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:32.320411921 CET497441995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:32.369371891 CET199549744185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:32.974709034 CET497441995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:33.023679972 CET199549744185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:33.662285089 CET497441995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:33.710856915 CET199549744185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:37.727041006 CET497451995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:37.775808096 CET199549745185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:38.288775921 CET497451995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:38.337404966 CET199549745185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:38.850286007 CET497451995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:38.899238110 CET199549745185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:42.915177107 CET497471995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:42.964174986 CET199549747185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:43.475689888 CET497471995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:43.524322033 CET199549747185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:44.038144112 CET497471995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:44.087078094 CET199549747185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:48.103312969 CET497481995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:48.151956081 CET199549748185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:48.663528919 CET497481995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:48.712162018 CET199549748185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:49.226151943 CET497481995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:49.274797916 CET199549748185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:53.290574074 CET497491995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:53.340678930 CET199549749185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:53.851526976 CET497491995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:53.902235985 CET199549749185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:54.413999081 CET497491995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:54.462584972 CET199549749185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:58.478410959 CET497501995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:58.526983976 CET199549750185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:59.039422035 CET497501995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:59.088226080 CET199549750185.140.53.251192.168.2.5
              Jan 13, 2021 21:31:59.617542982 CET497501995192.168.2.5185.140.53.251
              Jan 13, 2021 21:31:59.666513920 CET199549750185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:03.682140112 CET497511995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:03.731821060 CET199549751185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:04.242986917 CET497511995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:04.291734934 CET199549751185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:04.805511951 CET497511995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:04.854181051 CET199549751185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:08.870229006 CET497521995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:08.918982029 CET199549752185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:09.430872917 CET497521995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:09.479660988 CET199549752185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:09.993491888 CET497521995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:10.042427063 CET199549752185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:14.058119059 CET497531995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:14.106733084 CET199549753185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:14.618804932 CET497531995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:14.668956041 CET199549753185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:15.181360960 CET497531995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:15.229877949 CET199549753185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:19.246398926 CET497541995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:19.295027018 CET199549754185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:19.806848049 CET497541995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:19.855500937 CET199549754185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:20.369371891 CET497541995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:20.417989969 CET199549754185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:24.433679104 CET497551995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:24.482758999 CET199549755185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:24.994741917 CET497551995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:25.043699980 CET199549755185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:25.557230949 CET497551995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:25.605915070 CET199549755185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:29.622144938 CET497561995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:29.670828104 CET199549756185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:30.182709932 CET497561995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:30.231250048 CET199549756185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:30.745145082 CET497561995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:30.793642044 CET199549756185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:34.810229063 CET497571995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:34.858838081 CET199549757185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:35.370518923 CET497571995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:35.420856953 CET199549757185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:35.933069944 CET497571995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:35.981738091 CET199549757185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:39.998256922 CET497581995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:40.046988964 CET199549758185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:40.558501005 CET497581995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:40.607059956 CET199549758185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:41.121087074 CET497581995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:41.169780016 CET199549758185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:45.186114073 CET497591995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:45.234780073 CET199549759185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:45.746474028 CET497591995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:45.795094967 CET199549759185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:46.308923006 CET497591995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:46.357636929 CET199549759185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:50.633713007 CET497601995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:50.682427883 CET199549760185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:51.200040102 CET497601995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:51.249756098 CET199549760185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:51.762607098 CET497601995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:51.811820984 CET199549760185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:56.154947042 CET497611995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:56.203696966 CET199549761185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:56.887954950 CET497611995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:56.936686039 CET199549761185.140.53.251192.168.2.5
              Jan 13, 2021 21:32:57.481779099 CET497611995192.168.2.5185.140.53.251
              Jan 13, 2021 21:32:57.531527996 CET199549761185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:01.596762896 CET497621995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:01.645104885 CET199549762185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:02.336057901 CET497621995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:02.386437893 CET199549762185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:02.944317102 CET497621995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:02.993072033 CET199549762185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:07.071367979 CET497681995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:07.119956017 CET199549768185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:07.636620998 CET497681995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:07.685182095 CET199549768185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:08.323975086 CET497681995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:08.372734070 CET199549768185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:12.407613993 CET497711995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:12.456419945 CET199549771185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:13.105022907 CET497711995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:13.153490067 CET199549771185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:13.730696917 CET497711995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:13.779334068 CET199549771185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:17.816601992 CET497751995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:17.865339994 CET199549775185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:18.434168100 CET497751995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:18.483007908 CET199549775185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:19.137295961 CET497751995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:19.187271118 CET199549775185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:23.230499983 CET497761995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:23.279196978 CET199549776185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:23.794004917 CET497761995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:23.843339920 CET199549776185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:24.356518030 CET497761995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:24.405329943 CET199549776185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:28.422276974 CET497771995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:28.471090078 CET199549777185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:28.981920004 CET497771995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:29.035156965 CET199549777185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:29.544476986 CET497771995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:29.593122959 CET199549777185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:33.610718966 CET497781995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:33.659535885 CET199549778185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:34.171220064 CET497781995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:34.220814943 CET199549778185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:34.732472897 CET497781995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:34.781214952 CET199549778185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:38.796067953 CET497791995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:38.844744921 CET199549779185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:39.357990026 CET497791995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:39.406713963 CET199549779185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:39.920408964 CET497791995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:39.969662905 CET199549779185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:43.984714985 CET497801995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:44.033329010 CET199549780185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:44.545914888 CET497801995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:44.595156908 CET199549780185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:45.108242035 CET497801995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:45.156965017 CET199549780185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:49.171991110 CET497811995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:49.220601082 CET199549781185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:49.733782053 CET497811995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:49.782602072 CET199549781185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:50.296354055 CET497811995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:50.345092058 CET199549781185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:54.360222101 CET497821995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:54.409158945 CET199549782185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:54.921668053 CET497821995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:54.970544100 CET199549782185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:55.484231949 CET497821995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:55.533906937 CET199549782185.140.53.251192.168.2.5
              Jan 13, 2021 21:33:59.547684908 CET497831995192.168.2.5185.140.53.251
              Jan 13, 2021 21:33:59.596256018 CET199549783185.140.53.251192.168.2.5
              Jan 13, 2021 21:34:00.109620094 CET497831995192.168.2.5185.140.53.251
              Jan 13, 2021 21:34:00.158524036 CET199549783185.140.53.251192.168.2.5
              Jan 13, 2021 21:34:00.672235966 CET497831995192.168.2.5185.140.53.251
              Jan 13, 2021 21:34:00.720916986 CET199549783185.140.53.251192.168.2.5
              Jan 13, 2021 21:34:04.735835075 CET497841995192.168.2.5185.140.53.251
              Jan 13, 2021 21:34:04.784493923 CET199549784185.140.53.251192.168.2.5
              Jan 13, 2021 21:34:05.297451973 CET497841995192.168.2.5185.140.53.251
              Jan 13, 2021 21:34:05.346185923 CET199549784185.140.53.251192.168.2.5
              Jan 13, 2021 21:34:05.860121965 CET497841995192.168.2.5185.140.53.251
              Jan 13, 2021 21:34:05.909265995 CET199549784185.140.53.251192.168.2.5
              Jan 13, 2021 21:34:09.924030066 CET497851995192.168.2.5185.140.53.251
              Jan 13, 2021 21:34:09.972728014 CET199549785185.140.53.251192.168.2.5

              Code Manipulations

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              Analysis Process: New Order_1132012_xlxs.exe PID: 4132 Parent PID: 5820

              General

              Start time:21:30:30
              Start date:13/01/2021
              Path:C:\Users\user\Desktop\New Order_1132012_xlxs.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\New Order_1132012_xlxs.exe'
              Imagebase:0x9a0000
              File size:639488 bytes
              MD5 hash:1DC30F0B34A4F0D1404DC25A1CD54F6E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.245920133.0000000003D49000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.245920133.0000000003D49000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.245920133.0000000003D49000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Chronological Activities

              Analysis Process: New Order_1132012_xlxs.exe PID: 6156 Parent PID: 4132

              General

              Start time:21:30:34
              Start date:13/01/2021
              Path:C:\Users\user\Desktop\New Order_1132012_xlxs.exe
              Wow64 process (32bit):false
              Commandline:{path}
              Imagebase:0x10000
              File size:639488 bytes
              MD5 hash:1DC30F0B34A4F0D1404DC25A1CD54F6E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low

              Chronological Activities

              Analysis Process: New Order_1132012_xlxs.exe PID: 6172 Parent PID: 4132

              General

              Start time:21:30:34
              Start date:13/01/2021
              Path:C:\Users\user\Desktop\New Order_1132012_xlxs.exe
              Wow64 process (32bit):false
              Commandline:{path}
              Imagebase:0x2f0000
              File size:639488 bytes
              MD5 hash:1DC30F0B34A4F0D1404DC25A1CD54F6E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low

              Chronological Activities

              Analysis Process: New Order_1132012_xlxs.exe PID: 6192 Parent PID: 4132

              General

              Start time:21:30:35
              Start date:13/01/2021
              Path:C:\Users\user\Desktop\New Order_1132012_xlxs.exe
              Wow64 process (32bit):true
              Commandline:{path}
              Imagebase:0x4e0000
              File size:639488 bytes
              MD5 hash:1DC30F0B34A4F0D1404DC25A1CD54F6E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.632780032.00000000052D0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.632780032.00000000052D0000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.632780032.00000000052D0000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.632470140.0000000004E90000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.632470140.0000000004E90000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.625065981.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.625065981.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.625065981.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.631227388.0000000003A09000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.631227388.0000000003A09000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Chronological Activities

              Analysis Process: schtasks.exe PID: 6276 Parent PID: 6192

              General

              Start time:21:30:37
              Start date:13/01/2021
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp53AD.tmp'
              Imagebase:0x9c0000
              File size:185856 bytes
              MD5 hash:15FF7D8324231381BAD48A052F85DF04
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Chronological Activities

              Analysis Process: conhost.exe PID: 6296 Parent PID: 6276

              General

              Start time:21:30:38
              Start date:13/01/2021
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7ecfc0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Chronological Activities

              Analysis Process: schtasks.exe PID: 6328 Parent PID: 6192

              General

              Start time:21:30:38
              Start date:13/01/2021
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5729.tmp'
              Imagebase:0x9c0000
              File size:185856 bytes
              MD5 hash:15FF7D8324231381BAD48A052F85DF04
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Chronological Activities

              Analysis Process: conhost.exe PID: 6336 Parent PID: 6328

              General

              Start time:21:30:38
              Start date:13/01/2021
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff797770000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Chronological Activities

              Analysis Process: New Order_1132012_xlxs.exe PID: 6396 Parent PID: 904

              General

              Start time:21:30:40
              Start date:13/01/2021
              Path:C:\Users\user\Desktop\New Order_1132012_xlxs.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\New Order_1132012_xlxs.exe' 0
              Imagebase:0xac0000
              File size:639488 bytes
              MD5 hash:1DC30F0B34A4F0D1404DC25A1CD54F6E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.279881959.0000000003E49000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.279881959.0000000003E49000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.279881959.0000000003E49000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000009.00000002.277332369.0000000002E41000.00000004.00000001.sdmp, Author: Joe Security
              Reputation:low

              Chronological Activities

              Analysis Process: dhcpmon.exe PID: 6408 Parent PID: 904

              General

              Start time:21:30:40
              Start date:13/01/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
              Imagebase:0x90000
              File size:639488 bytes
              MD5 hash:1DC30F0B34A4F0D1404DC25A1CD54F6E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.275464694.0000000002401000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.276289789.0000000003409000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.276289789.0000000003409000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.276289789.0000000003409000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Antivirus matches:
              • Detection: 100%, Joe Sandbox ML
              • Detection: 28%, ReversingLabs
              Reputation:low

              Chronological Activities

              Analysis Process: dhcpmon.exe PID: 6732 Parent PID: 6408

              General

              Start time:21:30:49
              Start date:13/01/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:{path}
              Imagebase:0xd60000
              File size:639488 bytes
              MD5 hash:1DC30F0B34A4F0D1404DC25A1CD54F6E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.292460519.00000000040E9000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.292460519.00000000040E9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.292360574.00000000030E1000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.292360574.00000000030E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.291345804.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.291345804.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.291345804.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Chronological Activities

              Analysis Process: New Order_1132012_xlxs.exe PID: 6740 Parent PID: 6396

              General

              Start time:21:30:49
              Start date:13/01/2021
              Path:C:\Users\user\Desktop\New Order_1132012_xlxs.exe
              Wow64 process (32bit):true
              Commandline:{path}
              Imagebase:0x850000
              File size:639488 bytes
              MD5 hash:1DC30F0B34A4F0D1404DC25A1CD54F6E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.291660403.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.291660403.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.291660403.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.292801706.0000000003C39000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.292801706.0000000003C39000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.292643698.0000000002C31000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.292643698.0000000002C31000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Chronological Activities

              Analysis Process: dhcpmon.exe PID: 6904 Parent PID: 3472

              General

              Start time:21:30:51
              Start date:13/01/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
              Imagebase:0x300000
              File size:639488 bytes
              MD5 hash:1DC30F0B34A4F0D1404DC25A1CD54F6E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.298640803.00000000036B9000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.298640803.00000000036B9000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.298640803.00000000036B9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000F.00000002.296751787.00000000026B1000.00000004.00000001.sdmp, Author: Joe Security
              Reputation:low

              Chronological Activities

              Analysis Process: dhcpmon.exe PID: 1928 Parent PID: 6904

              General

              Start time:21:30:58
              Start date:13/01/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:{path}
              Imagebase:0x490000
              File size:639488 bytes
              MD5 hash:1DC30F0B34A4F0D1404DC25A1CD54F6E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.314926958.0000000003A39000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000015.00000002.314926958.0000000003A39000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.314829401.0000000002A31000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000015.00000002.314829401.0000000002A31000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.313795834.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.313795834.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000015.00000002.313795834.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Chronological Activities

              Disassembly

              Code Analysis

              Reset < >

                Analysis Process: New Order_1132012_xlxs.exe PID: 4132 Parent PID: 5820 New Order_1132012_xlxs.exeCOMMON

                Executed Functions

                Function 052D8658, Relevance: .9, Instructions: 912COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.249043747.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 624b0240cfdad86cdd4f7bf6991c80a03d07f690d013d7959a87e3e56753b969
                • Instruction ID: 01993e7f4697cb530705d75bf19b10df96ab6eeb436b55c3683fcefbdea8cf7e
                • Opcode Fuzzy Hash: 624b0240cfdad86cdd4f7bf6991c80a03d07f690d013d7959a87e3e56753b969
                • Instruction Fuzzy Hash: BD92E971C19269CFEB24CFA6C9483EDFAB5FF58305F1480A9D019A6291D7B94AC5CF10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 052D8648, Relevance: .5, Instructions: 524COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.249043747.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 20a0ec0135b813b8e6212a3be09d9aa839dd400e35de3d5519dadbb43ccfe1b3
                • Instruction ID: 749d26793bb244105ed7655579099fd56b60010734e7a8e73ca91801cec1fa09
                • Opcode Fuzzy Hash: 20a0ec0135b813b8e6212a3be09d9aa839dd400e35de3d5519dadbb43ccfe1b3
                • Instruction Fuzzy Hash: 7232E9B1D15269CFEB28CF66C8583EDFAF6BF48305F1480A9D009A6291D7794AC9CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 052D0AE0, Relevance: .2, Instructions: 229COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.249043747.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c1af13fb23e01e8ca0f91e6052c10e3403ee41b152b8171e647e87bc6d098412
                • Instruction ID: 28e327cfda2951f2d08c9153245bbef50083b52be4a14c63ca13b0c8822bfd94
                • Opcode Fuzzy Hash: c1af13fb23e01e8ca0f91e6052c10e3403ee41b152b8171e647e87bc6d098412
                • Instruction Fuzzy Hash: 7391A339E103198FCB14DFA4D8589DDBBB6FF89304F158615E406BB7A4EB70A845CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 052D0AD3, Relevance: .2, Instructions: 192COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.249043747.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e39f9ec4bc02f5427390e98ecab97f9620e6bcf82c2a1fdb064308c46fadd609
                • Instruction ID: 33bec2e1f21ed08559a8aba78118c9f6eec8843ff22ba02f90ddaafc3b3c078d
                • Opcode Fuzzy Hash: e39f9ec4bc02f5427390e98ecab97f9620e6bcf82c2a1fdb064308c46fadd609
                • Instruction Fuzzy Hash: 34819139E103198FCB14DFE4D8548DDBBBAFF89304F158625E405BB6A4EB70A945CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 052D9690, Relevance: .2, Instructions: 160COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.249043747.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e5bad2f1ec1e547d8244b64bd42b7644b3772e19f3dd573a73ba553c6dd7008c
                • Instruction ID: e714419acc7ea73aa8d417e9d665f9fd71aad8f7cb0844c76618927c5f381e37
                • Opcode Fuzzy Hash: e5bad2f1ec1e547d8244b64bd42b7644b3772e19f3dd573a73ba553c6dd7008c
                • Instruction Fuzzy Hash: 6951BC74E152089FDB18CFA6D988BDDFBF2BF89300F249029E409AB294DB745985CF54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 052D9680, Relevance: .1, Instructions: 147COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.249043747.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b48de6abe8b9f6f52f2665da51004de3d2109836fca39f611134275a6d9bff52
                • Instruction ID: 31651036ba14481d45bf52e0544d0e4ac5abeba988844b23200811b75eaedc9f
                • Opcode Fuzzy Hash: b48de6abe8b9f6f52f2665da51004de3d2109836fca39f611134275a6d9bff52
                • Instruction Fuzzy Hash: D251EF74D152189FDB18CFAAC984BDDBBF2BF89300F249129E809AB394DB745985CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01369CD0, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 01369F16
                Memory Dump Source
                • Source File: 00000000.00000002.245043636.0000000001360000.00000040.00000001.sdmp, Offset: 01360000, based on PE: false
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: dc67d6407daac075f689b36cc98d4e23d94c67918d546cac85e7ea56a147ab3e
                • Instruction ID: 0470fa6cb275f9ef89ae5471b3f8d302d240f48d5722e034d47e42593256e11e
                • Opcode Fuzzy Hash: dc67d6407daac075f689b36cc98d4e23d94c67918d546cac85e7ea56a147ab3e
                • Instruction Fuzzy Hash: E4713470A00B059FDB24DF2AD58475ABBF9FF88208F00892DD54ADBA44DB74E849CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 052D07C7, Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                Download Yara Rule
                APIs
                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 052D08E2
                Memory Dump Source
                • Source File: 00000000.00000002.249043747.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false
                Similarity
                • API ID: CreateWindow
                • String ID:
                • API String ID: 716092398-0
                • Opcode ID: 44838d1fa0dccb2f935dacca54ae622b04f06e94773c6d26180f93bf6f1a940c
                • Instruction ID: 6c5090c7391f645e7c4c07849bfc333604080ea9f2e07cae64eb0d0a6d0c2c9b
                • Opcode Fuzzy Hash: 44838d1fa0dccb2f935dacca54ae622b04f06e94773c6d26180f93bf6f1a940c
                • Instruction Fuzzy Hash: 5A51CEB1D103499FDF14CFAAC884ADEFBB5BF48314F64852AE819AB250D7749845CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 052D07D0, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                Download Yara Rule
                APIs
                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 052D08E2
                Memory Dump Source
                • Source File: 00000000.00000002.249043747.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false
                Similarity
                • API ID: CreateWindow
                • String ID:
                • API String ID: 716092398-0
                • Opcode ID: be7b23f41c0a612cdf0184ab89d86446c279533d4b05ce158dbb0def6f7da62e
                • Instruction ID: f427807b94b53b089d66f0b054c7949325e55d5e26aa185de84dc86052346e5e
                • Opcode Fuzzy Hash: be7b23f41c0a612cdf0184ab89d86446c279533d4b05ce158dbb0def6f7da62e
                • Instruction Fuzzy Hash: D841CEB1D10309AFDF14CFAAC884ADEFBB5BF48314F24852AE819AB250D7749845CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01363E18, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                Download Yara Rule
                APIs
                • CreateActCtxA.KERNEL32(?), ref: 01365421
                Memory Dump Source
                • Source File: 00000000.00000002.245043636.0000000001360000.00000040.00000001.sdmp, Offset: 01360000, based on PE: false
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: bccd9970ee882fb7280080a893efa0b4c279d1107c8d4c498f94cfd8f0326551
                • Instruction ID: d8f1fa8ca6405960f9e77651e48fdafeb915f5c04529b8e3125f4d2f77d0c4ba
                • Opcode Fuzzy Hash: bccd9970ee882fb7280080a893efa0b4c279d1107c8d4c498f94cfd8f0326551
                • Instruction Fuzzy Hash: 8541E471D0472CCBDB24DFA9C94478DBBB5BF58308F608069D508BB254DBB56989CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01365364, Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                Download Yara Rule
                APIs
                • CreateActCtxA.KERNEL32(?), ref: 01365421
                Memory Dump Source
                • Source File: 00000000.00000002.245043636.0000000001360000.00000040.00000001.sdmp, Offset: 01360000, based on PE: false
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: 563f00ad287cb80d663338104bd24b98c458f9c42c1872cc02fb7e0b9acd888c
                • Instruction ID: 8499478ec91de103d3ee4decf80011d0e91f8e892ab6337012254f2161d32ca7
                • Opcode Fuzzy Hash: 563f00ad287cb80d663338104bd24b98c458f9c42c1872cc02fb7e0b9acd888c
                • Instruction Fuzzy Hash: 7A41F371D04328CEDB24CFA9C9447CDBBB5BF58309F20846AD408BB254DB74698ACF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 052D2D80, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                Download Yara Rule
                APIs
                • CallWindowProcW.USER32(?,?,?,?,?), ref: 052D2E41
                Memory Dump Source
                • Source File: 00000000.00000002.249043747.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false
                Similarity
                • API ID: CallProcWindow
                • String ID:
                • API String ID: 2714655100-0
                • Opcode ID: 0eacc2943d2ce7fc2440ce8714245a36dd13c88b38ae11a582036f8f16143edf
                • Instruction ID: 1f241e49695cbf0ef2d3c641a6c048a98bc292493742e5034f2d45af3babd19f
                • Opcode Fuzzy Hash: 0eacc2943d2ce7fc2440ce8714245a36dd13c88b38ae11a582036f8f16143edf
                • Instruction Fuzzy Hash: B84114B8A10255DFCB14CF99C488BAAFBF5FF88314F258499D519AB321D774A841CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0136B3FC, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0136C1B6,?,?,?,?,?), ref: 0136C277
                Memory Dump Source
                • Source File: 00000000.00000002.245043636.0000000001360000.00000040.00000001.sdmp, Offset: 01360000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: 751973e6108165a3e3da63d4423a651efd3727bbe1812177af8504c04317762f
                • Instruction ID: ff5e55106a9a4d946e4b53ec1757b9522071cf53da4d4c70af6c1e8bcc433a96
                • Opcode Fuzzy Hash: 751973e6108165a3e3da63d4423a651efd3727bbe1812177af8504c04317762f
                • Instruction Fuzzy Hash: AD21E5B5900259EFDB10CFAAD484BDEBBF8EB48314F15841AE954A7310D374A954CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0136C1E8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0136C1B6,?,?,?,?,?), ref: 0136C277
                Memory Dump Source
                • Source File: 00000000.00000002.245043636.0000000001360000.00000040.00000001.sdmp, Offset: 01360000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: 682b114049b7309ea9a3e3b45f452a8ea9514612c0236c2d41bd2689b4e3354d
                • Instruction ID: 5ce87adbcb6eacdde0574daffefad93159e2fdcdff47a3d347f0aae0c686ac0b
                • Opcode Fuzzy Hash: 682b114049b7309ea9a3e3b45f452a8ea9514612c0236c2d41bd2689b4e3354d
                • Instruction Fuzzy Hash: 1421E7B5D00208EFDF10CFAAD584ADEBBF4FB58314F14841AE914A3210D374A954CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01369230, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01369F91,00000800,00000000,00000000), ref: 0136A1A2
                Memory Dump Source
                • Source File: 00000000.00000002.245043636.0000000001360000.00000040.00000001.sdmp, Offset: 01360000, based on PE: false
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: cf601ed36bda784af5e1a3af7fa55adb071512c9ed10a47e9afc685a64fc4dbf
                • Instruction ID: 466e8a672ad97146f08d87812d174fd6db8913294ddc8bf0f058a2af086130e1
                • Opcode Fuzzy Hash: cf601ed36bda784af5e1a3af7fa55adb071512c9ed10a47e9afc685a64fc4dbf
                • Instruction Fuzzy Hash: B41103B6D00209DFDB10CF9AC844B9EFBF8AB98354F15842AE915B7200C778A945CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0136A130, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01369F91,00000800,00000000,00000000), ref: 0136A1A2
                Memory Dump Source
                • Source File: 00000000.00000002.245043636.0000000001360000.00000040.00000001.sdmp, Offset: 01360000, based on PE: false
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: b986c03e1a0ac828ae5f5482c1811934e7fd6eedbb04ccc2d07d4ca276384c51
                • Instruction ID: f8f304c215665e86a6be73093bb4f15998ac1d6c21335eb4b40b9698bdb758aa
                • Opcode Fuzzy Hash: b986c03e1a0ac828ae5f5482c1811934e7fd6eedbb04ccc2d07d4ca276384c51
                • Instruction Fuzzy Hash: C61112B6C00209DFDB10CF9AC884BDEBBF4AB58314F15842AD919B7200C778A545CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01369EB0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 01369F16
                Memory Dump Source
                • Source File: 00000000.00000002.245043636.0000000001360000.00000040.00000001.sdmp, Offset: 01360000, based on PE: false
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: 1d0f0ac9dd450f2a4c69408b8d7ffb5866e62d594404fa4f0000c1678aaf6bbe
                • Instruction ID: e3ec43dbe7f7af578a651eb1aaa36e827a6e26f926ea5c22545c5984d1f8c4bb
                • Opcode Fuzzy Hash: 1d0f0ac9dd450f2a4c69408b8d7ffb5866e62d594404fa4f0000c1678aaf6bbe
                • Instruction Fuzzy Hash: C811E3B5C002498FDB10DF9AC444BDEFBF8EB89228F15C45AD419B7604D374A545CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 052D0A10, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                Download Yara Rule
                APIs
                • SetWindowLongW.USER32(?,?,?), ref: 052D0A75
                Memory Dump Source
                • Source File: 00000000.00000002.249043747.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false
                Similarity
                • API ID: LongWindow
                • String ID:
                • API String ID: 1378638983-0
                • Opcode ID: 3f16ede0c7fa9f639846a563ef212fc53ab758515e0887960087bc6636f353fc
                • Instruction ID: e556b42305af53f526597cd916a27daf0b69a9ae07007905fa2842cd5e3d8bfb
                • Opcode Fuzzy Hash: 3f16ede0c7fa9f639846a563ef212fc53ab758515e0887960087bc6636f353fc
                • Instruction Fuzzy Hash: 461106B5910249DFDB10CF9AD489BDEFBF8FB48324F14855AE919A7200D374A944CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 052D0A18, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                Download Yara Rule
                APIs
                • SetWindowLongW.USER32(?,?,?), ref: 052D0A75
                Memory Dump Source
                • Source File: 00000000.00000002.249043747.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false
                Similarity
                • API ID: LongWindow
                • String ID:
                • API String ID: 1378638983-0
                • Opcode ID: 487c0ac0c2ed96a1a3f42e4c43d288b7a561acfacb4c92abd6c820ede3a4772d
                • Instruction ID: 67206ae595a4a07d91fcb33740939daece588585b858101b379a73b37cc2f276
                • Opcode Fuzzy Hash: 487c0ac0c2ed96a1a3f42e4c43d288b7a561acfacb4c92abd6c820ede3a4772d
                • Instruction Fuzzy Hash: F91115B5800249DFDB10CF9AC488BDEFBF8EB48324F14841AD915A7300D378A944CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0130D4EC, Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.244966880.000000000130D000.00000040.00000001.sdmp, Offset: 0130D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6830bfb47774e2743efe94c7c856a313d364a454dc0c420e1087aeb06ead5e83
                • Instruction ID: 74d1200d1e5a615ea7bb9d568c2a81b9c672b932e01f9627090d8e4841ed99a3
                • Opcode Fuzzy Hash: 6830bfb47774e2743efe94c7c856a313d364a454dc0c420e1087aeb06ead5e83
                • Instruction Fuzzy Hash: ED21F4B1504244DFDB06DF94D9D0B26BFE5FB8832CF248569ED054A286C337D455CAA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0131D01C, Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.244984553.000000000131D000.00000040.00000001.sdmp, Offset: 0131D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6dc39f3ebb712016b7a0b856f1528f290435190a5100ca090ba58567e0a4d098
                • Instruction ID: b848b32ff80fdc7ae4ef0d742034902867cdc9017a6f4f2c39c6a6418c7dcb2d
                • Opcode Fuzzy Hash: 6dc39f3ebb712016b7a0b856f1528f290435190a5100ca090ba58567e0a4d098
                • Instruction Fuzzy Hash: 20216475508204DFCB18CF64D8C8B26BB65FB85358F24C5ADE80A4B34AC33AD847CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0130D4E7, Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.244966880.000000000130D000.00000040.00000001.sdmp, Offset: 0130D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 19a4610e377f139d1a44d723f741f34ad4651ab4acb05f468be59ed9d3ee3f9e
                • Instruction ID: 72b59b667ce93695281009b3fda123268d9d6f6e3c4cc96c5bd7be33e821418e
                • Opcode Fuzzy Hash: 19a4610e377f139d1a44d723f741f34ad4651ab4acb05f468be59ed9d3ee3f9e
                • Instruction Fuzzy Hash: 9E11B176404280DFCB06CF54D9D4B16BFB2FB88328F28C6A9DC450B656C336D45ACBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0131D017, Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.244984553.000000000131D000.00000040.00000001.sdmp, Offset: 0131D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6e8eb91cc0e5aeaf7a5ba04cf9626bc656f75b9fb5986dd1a049f59494af3663
                • Instruction ID: 4515c485ad1d79558ccc17a49af28548984e4c2dc32ca5cc81f63c050e54c52d
                • Opcode Fuzzy Hash: 6e8eb91cc0e5aeaf7a5ba04cf9626bc656f75b9fb5986dd1a049f59494af3663
                • Instruction Fuzzy Hash: 1A11D075504280CFCB16CF14D5C4B15FF71FB45318F28C6A9D8494B65AC33AD45ACB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0130D745, Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.244966880.000000000130D000.00000040.00000001.sdmp, Offset: 0130D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6e86985df709e80ddf44350c70efe68ef9cdb66fafc94f28c64b969a8bb2e61f
                • Instruction ID: 3e89907987afc2a289dbc5a3756949111ee8348a3d60c0521831ec553da7505b
                • Opcode Fuzzy Hash: 6e86985df709e80ddf44350c70efe68ef9cdb66fafc94f28c64b969a8bb2e61f
                • Instruction Fuzzy Hash: 7F01F7710083C49AE7124EAACDD4B66BBDCDF8163CF08C55AEE044B6C6D3799840C6B1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0130D744, Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.244966880.000000000130D000.00000040.00000001.sdmp, Offset: 0130D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6e9dc3cbfc54335e5354bd4929ee77da63ac994eb7ba50679163b040792ebe9b
                • Instruction ID: 53b93f08b7b0cc3dbfe42e0c62d15eefd7ddeaa87c119171ac50a401566ca2c8
                • Opcode Fuzzy Hash: 6e9dc3cbfc54335e5354bd4929ee77da63ac994eb7ba50679163b040792ebe9b
                • Instruction Fuzzy Hash: C0F09675404394AEEB118E5ACCC4B62FFE8EB81738F18C45AED085B286C3799844CAB1
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 0136EEB0, Relevance: .3, Instructions: 315COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.245043636.0000000001360000.00000040.00000001.sdmp, Offset: 01360000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d7209975afe9db6136ad9253535c331756617a9ed2c32cfef70f22231e6120ad
                • Instruction ID: 4cfd0dff05684475edac2982b2d769033b0755c26a1e3179ed914c9d74a60394
                • Opcode Fuzzy Hash: d7209975afe9db6136ad9253535c331756617a9ed2c32cfef70f22231e6120ad
                • Instruction Fuzzy Hash: B012D9F1CE1746CAD338DF55E59A3AA3B60B7443A8BD24B08D1616AAD0DFB4016ECF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0136CAE4, Relevance: .3, Instructions: 265COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.245043636.0000000001360000.00000040.00000001.sdmp, Offset: 01360000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4efcf193aee74fd41f52d0920e41daefda6ca873ed8d127154dfd5aa6f8e0c30
                • Instruction ID: cc6db7f4ba74d2a205003d04ec8ddd10dcb302a09c3dc1c1a32179e8c0b363d6
                • Opcode Fuzzy Hash: 4efcf193aee74fd41f52d0920e41daefda6ca873ed8d127154dfd5aa6f8e0c30
                • Instruction Fuzzy Hash: F9A19E36E0021ACFCF15DFA9C8445DEBBBAFF85304B15857AE905AB264DB31A919CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 052DA7E8, Relevance: .2, Instructions: 242COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.249043747.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e0abeef253da131aa200fa2f24b5843786d0c82fd1772bd9b89755bb96d3fa76
                • Instruction ID: b2bc1f2f773c9e92b06b01b96b6576069012cc9fac22d0e6cee436380b2ddaf1
                • Opcode Fuzzy Hash: e0abeef253da131aa200fa2f24b5843786d0c82fd1772bd9b89755bb96d3fa76
                • Instruction Fuzzy Hash: 7AC17575E116188FDB58CF6AC944ADDBBF2BF88304F15C0A9D909AB364DB309A858F50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0136EEA3, Relevance: .2, Instructions: 234COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.245043636.0000000001360000.00000040.00000001.sdmp, Offset: 01360000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4a7ea53969a1c6c3bff2bafbddbe9cf18335169ff04da933919a09309f4adddd
                • Instruction ID: 70eba069d0b392fc7252c88103a664aff0a772bcea0377866596a70ed2e828ca
                • Opcode Fuzzy Hash: 4a7ea53969a1c6c3bff2bafbddbe9cf18335169ff04da933919a09309f4adddd
                • Instruction Fuzzy Hash: 45C14FB1CA1745CBD728DF65E8893AA3B71BB44368F924B18D1216B6D0DFB4106ECF84
                Uniqueness

                Uniqueness Score: -1.00%

                Function 052DA538, Relevance: .2, Instructions: 167COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.249043747.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 097432145e2973583e556e95be0c6a49a679587b96016df62ceccd0403ab7d56
                • Instruction ID: d05494378b3fa199d8f939e56b45a0064e9db3efe143a1510d3fbeed4bc889da
                • Opcode Fuzzy Hash: 097432145e2973583e556e95be0c6a49a679587b96016df62ceccd0403ab7d56
                • Instruction Fuzzy Hash: 7D710071E142098FD748EFBAE855A9EBBF2BF84304F04C529D1189B3A8DF7198058B50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 052DA548, Relevance: .2, Instructions: 164COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.249043747.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 274c4c7b4d33f0020ab1ba08987cca4798e132cbb8202c04f81cacd3eb491f12
                • Instruction ID: 97178796d32ce97ca057bef26e558f8705b94ae337143e6781f43b0b8eb2f9e2
                • Opcode Fuzzy Hash: 274c4c7b4d33f0020ab1ba08987cca4798e132cbb8202c04f81cacd3eb491f12
                • Instruction Fuzzy Hash: 52610071E142058FD748EFBAE855A9EBBF2BF84204F04C539D5199B3A8EF719805CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Analysis Process: New Order_1132012_xlxs.exe PID: 6192 Parent PID: 4132 New Order_1132012_xlxs.exeCOMMON

                Executed Functions

                Function 029AF5F8, Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.628664089.00000000029A0000.00000040.00000001.sdmp, Offset: 029A0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 296d9b5ce65fa1e2c5e0d338989a7d935eb8c78de80d8906364de5f5533062b1
                • Instruction ID: d3b4bd8aced7184e308a7d213a1df9f3dfe0f621a2cde611352038ab41addb20
                • Opcode Fuzzy Hash: 296d9b5ce65fa1e2c5e0d338989a7d935eb8c78de80d8906364de5f5533062b1
                • Instruction Fuzzy Hash: A3F14A34A00308CFDB14DFA9C9A4B9DBBF1BF88304F158568D40AAF6A5DB75E945CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0104B6C0, Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32 ref: 0104B730
                • GetCurrentThread.KERNEL32 ref: 0104B76D
                • GetCurrentProcess.KERNEL32 ref: 0104B7AA
                • GetCurrentThreadId.KERNEL32 ref: 0104B803
                Memory Dump Source
                • Source File: 00000004.00000002.627824509.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                Similarity
                • API ID: Current$ProcessThread
                • String ID:
                • API String ID: 2063062207-0
                • Opcode ID: 4db962b1f3b9e508242f0e11578e58af82c1312c878d7d77399321b249d1f4c7
                • Instruction ID: 844a176509de51604428d5ef24528eaff15222cb6568e6f995e185e32f04ff0a
                • Opcode Fuzzy Hash: 4db962b1f3b9e508242f0e11578e58af82c1312c878d7d77399321b249d1f4c7
                • Instruction Fuzzy Hash: D75166B89002488FDB14CFA9C588BDEBBF0FF49304F2484A9E459A7390C774A845CF65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0104B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32 ref: 0104B730
                • GetCurrentThread.KERNEL32 ref: 0104B76D
                • GetCurrentProcess.KERNEL32 ref: 0104B7AA
                • GetCurrentThreadId.KERNEL32 ref: 0104B803
                Memory Dump Source
                • Source File: 00000004.00000002.627824509.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                Similarity
                • API ID: Current$ProcessThread
                • String ID:
                • API String ID: 2063062207-0
                • Opcode ID: 01c3db550a08b9e501f5aa071950dece1b884e9027eda6013cbfe9414d15e7ea
                • Instruction ID: 37ed0841e76c6adfa912e8e8ca55958613e1990ebd594e670488a73729793560
                • Opcode Fuzzy Hash: 01c3db550a08b9e501f5aa071950dece1b884e9027eda6013cbfe9414d15e7ea
                • Instruction Fuzzy Hash: CA5143B8D002488FDB18CFA9D588BDEBBF1BF48314F248469E559A7390D774A844CF65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 029A17E0, Relevance: 2.0, APIs: 1, Instructions: 517COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.628664089.00000000029A0000.00000040.00000001.sdmp, Offset: 029A0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 124b463b2f9aadc9cc1a17efbaf245832c47e9d22246028fc33bba2f0a8ac065
                • Instruction ID: 9c6f8d89a4a63cb367d04b4b5618c8cf3837aa9f5424ac8b8616fef31bad39ea
                • Opcode Fuzzy Hash: 124b463b2f9aadc9cc1a17efbaf245832c47e9d22246028fc33bba2f0a8ac065
                • Instruction Fuzzy Hash: AB226B74E00305CFCB18DF98D5A5AAEBBB6FB89314F248556DC15AB364C734A881CBE1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 010493E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 0104962E
                Memory Dump Source
                • Source File: 00000004.00000002.627824509.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: 189aa8f66db3b929fdfd52391c085450622ef9f84c5c0150e236b66f7aa18579
                • Instruction ID: a23dce39e0846cbb342cddfd5e1f69a5190f6d7e39ae3725641d2809391b1eb6
                • Opcode Fuzzy Hash: 189aa8f66db3b929fdfd52391c085450622ef9f84c5c0150e236b66f7aa18579
                • Instruction Fuzzy Hash: FB7135B0A00B058FD764DF69C085B9BBBF1FF88218F008A6ED586D7A40DB34E845CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0104FBEC, Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                Download Yara Rule
                APIs
                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0104FD0A
                Memory Dump Source
                • Source File: 00000004.00000002.627824509.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                Similarity
                • API ID: CreateWindow
                • String ID:
                • API String ID: 716092398-0
                • Opcode ID: d0d27d226b8f977496d25cf043ffcdedbbe842bd438220559e084c048b9fb6d6
                • Instruction ID: 6bd4e88bf3bb63c460441eb46c817cae72c17b8a774f6486b479db04d148492c
                • Opcode Fuzzy Hash: d0d27d226b8f977496d25cf043ffcdedbbe842bd438220559e084c048b9fb6d6
                • Instruction Fuzzy Hash: EE51DFB1D00349DFDB14CFA9C980ADEBBB1FF48314F24852AE819AB210D7749985CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0104FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                Download Yara Rule
                APIs
                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0104FD0A
                Memory Dump Source
                • Source File: 00000004.00000002.627824509.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                Similarity
                • API ID: CreateWindow
                • String ID:
                • API String ID: 716092398-0
                • Opcode ID: 8541010726b98ba8370ed6c588589619bf782206b484909a232d31cb736dcdef
                • Instruction ID: 72a386fd81776da8a7c834f342cd09a58c235593e3dcf3cec7c43384f2514cae
                • Opcode Fuzzy Hash: 8541010726b98ba8370ed6c588589619bf782206b484909a232d31cb736dcdef
                • Instruction Fuzzy Hash: 2F41B0B1D10309DFDB14CF99C984ADEBBB5FF88314F24852AE819AB250D774A945CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0104BDC1, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0104BD87
                Memory Dump Source
                • Source File: 00000004.00000002.627824509.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: 7d5b5ac8ff02da1959157ff0bd2eec1643d83a6a33eedaf120fd075d871d1f09
                • Instruction ID: 117e0653c850df085425e6dda99d33fee2570ba63d9756b7d0df203da8671e65
                • Opcode Fuzzy Hash: 7d5b5ac8ff02da1959157ff0bd2eec1643d83a6a33eedaf120fd075d871d1f09
                • Instruction Fuzzy Hash: 2D415BB8A44344DFEB05EF64E984BBA7BF1FB88701F10462AE9559B395DB748850CF20
                Uniqueness

                Uniqueness Score: -1.00%

                Function 029A3474, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                Download Yara Rule
                APIs
                • CreateActCtxA.KERNEL32(?), ref: 029A46B1
                Memory Dump Source
                • Source File: 00000004.00000002.628664089.00000000029A0000.00000040.00000001.sdmp, Offset: 029A0000, based on PE: false
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: cd8a53f352676f2a0e8bd2ad73b2a10790892af671ae7a66a59d23a41defbea2
                • Instruction ID: 9b301f78ebae19cf3b3086a7fe5059253704e624580bee97e2c8298ae3cfcdca
                • Opcode Fuzzy Hash: cd8a53f352676f2a0e8bd2ad73b2a10790892af671ae7a66a59d23a41defbea2
                • Instruction Fuzzy Hash: CA41F170C04358CBDB24CFA9C944B9EBBB5BF89308F208069D409AB250DBB5A949CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 029A45F4, Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                Download Yara Rule
                APIs
                • CreateActCtxA.KERNEL32(?), ref: 029A46B1
                Memory Dump Source
                • Source File: 00000004.00000002.628664089.00000000029A0000.00000040.00000001.sdmp, Offset: 029A0000, based on PE: false
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: c6eafe32d2e121085b8822953758a00727a6c9c355abd3b7c07f2bee982e98a1
                • Instruction ID: 85e2950780c41d4ec331e47eb3afafecd383bcad10a58fd0ccb9094ea1b98294
                • Opcode Fuzzy Hash: c6eafe32d2e121085b8822953758a00727a6c9c355abd3b7c07f2bee982e98a1
                • Instruction Fuzzy Hash: 98410471C04358CFDB24CFA9C944BCEBBB5BF89308F218069D409AB250DBB5694ACF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 029A2470, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                Download Yara Rule
                APIs
                • CallWindowProcW.USER32(?,?,?,?,?), ref: 029A2531
                Memory Dump Source
                • Source File: 00000004.00000002.628664089.00000000029A0000.00000040.00000001.sdmp, Offset: 029A0000, based on PE: false
                Similarity
                • API ID: CallProcWindow
                • String ID:
                • API String ID: 2714655100-0
                • Opcode ID: bc610f8accfd6e710fc8827b885b0c867bb7f5aa04f0f1e734b36ec0668c807e
                • Instruction ID: 57e3657ff7145b06a39aeffea70bca9a051f2ac4e900721e62eb3bd857968c27
                • Opcode Fuzzy Hash: bc610f8accfd6e710fc8827b885b0c867bb7f5aa04f0f1e734b36ec0668c807e
                • Instruction Fuzzy Hash: 1341F9B9E003058FCB14CF99C468B9ABBF5FB88314F19C459D919AB321D774E841CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 029AB896, Relevance: 1.6, APIs: 1, Instructions: 86windowCOMMON
                Download Yara Rule
                APIs
                • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 029AB957
                Memory Dump Source
                • Source File: 00000004.00000002.628664089.00000000029A0000.00000040.00000001.sdmp, Offset: 029A0000, based on PE: false
                Similarity
                • API ID: CreateFromIconResource
                • String ID:
                • API String ID: 3668623891-0
                • Opcode ID: 8c150c8cb705f4d06b55c0c0d5575ac6a71922409de8d7b27afc819dde4e4ce8
                • Instruction ID: 02863da4d7b0e6e9cd97a73e5d64462ef40c62324844f22a32f96d44aa41b204
                • Opcode Fuzzy Hash: 8c150c8cb705f4d06b55c0c0d5575ac6a71922409de8d7b27afc819dde4e4ce8
                • Instruction Fuzzy Hash: CD31DC729043899FCB11CFA9C850AEEBFF4EF59314F18805AE954AB221C335D955CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0104BCF9, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0104BD87
                Memory Dump Source
                • Source File: 00000004.00000002.627824509.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: c3c39bfbcd87b0be842e244d72c471f9bee41f3e6c72f1c1d61f400c32065481
                • Instruction ID: 5862cd1000fd00def3e0d2ccaf3e5441c77a1c0f14b5100bc36c8cbac5336595
                • Opcode Fuzzy Hash: c3c39bfbcd87b0be842e244d72c471f9bee41f3e6c72f1c1d61f400c32065481
                • Instruction Fuzzy Hash: 862103B5D002489FDB10CFAAD484AEEBFF4EB48324F14805AE958A3210D378A955CF61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0104BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0104BD87
                Memory Dump Source
                • Source File: 00000004.00000002.627824509.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: 7817d8cb00391b3f2e3bb5dba2101a729135a0923e5baf3a03da227ac865647f
                • Instruction ID: c636d4cb120ac1de78dae5eadbbe1f2054c6d88fd74dc951d0e724569eadae6e
                • Opcode Fuzzy Hash: 7817d8cb00391b3f2e3bb5dba2101a729135a0923e5baf3a03da227ac865647f
                • Instruction Fuzzy Hash: AD21E4B59002489FDB10CFAAD484ADEBBF4EB48324F14845AE954A3310D378A954CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01049849, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010496A9,00000800,00000000,00000000), ref: 010498BA
                Memory Dump Source
                • Source File: 00000004.00000002.627824509.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 611abdfe595718dad4acfbb03757a1d49e9489f9c2ff81ad418aa0c37498fdfb
                • Instruction ID: 876b1ce7ef1ecbbe4ecfc423fda8d5dd9e39585f6b867b5173d93b8fc08e8d30
                • Opcode Fuzzy Hash: 611abdfe595718dad4acfbb03757a1d49e9489f9c2ff81ad418aa0c37498fdfb
                • Instruction Fuzzy Hash: 6F2103B6D002499FDB10CFAAD484BDEFBF4EB88314F15846ED455A7200C374A545CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01048768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010496A9,00000800,00000000,00000000), ref: 010498BA
                Memory Dump Source
                • Source File: 00000004.00000002.627824509.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 5ab1d4b23af986772d34c7f5df5ec17d428ceb506369ee277537ae81ac4e2b78
                • Instruction ID: de498b2bd78b2feda992a71881235f8aa6eea862e924f2cbb60d2b0337fd7231
                • Opcode Fuzzy Hash: 5ab1d4b23af986772d34c7f5df5ec17d428ceb506369ee277537ae81ac4e2b78
                • Instruction Fuzzy Hash: A811F2B69002499FDB10CF9AC484BDEBBF4EB88324F05842EE555A7600C374A945CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 029AE6D8, Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,00DD53E8,00000000,?), ref: 029AE73D
                Memory Dump Source
                • Source File: 00000004.00000002.628664089.00000000029A0000.00000040.00000001.sdmp, Offset: 029A0000, based on PE: false
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: c4fa2542e28ad5afa361784e9f4827b83f7e5e35a73e531d762a6090c83558bc
                • Instruction ID: 759b45077c98f7b0c12d796654c05bfaef04f5cb1f52a60e637e82ecba41c64e
                • Opcode Fuzzy Hash: c4fa2542e28ad5afa361784e9f4827b83f7e5e35a73e531d762a6090c83558bc
                • Instruction Fuzzy Hash: A61158B5800309DFDB10CF99C885BEFBBF8EB48324F148469E564A3250D378A945CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 029AB8E8, Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON
                Download Yara Rule
                APIs
                • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 029AB957
                Memory Dump Source
                • Source File: 00000004.00000002.628664089.00000000029A0000.00000040.00000001.sdmp, Offset: 029A0000, based on PE: false
                Similarity
                • API ID: CreateFromIconResource
                • String ID:
                • API String ID: 3668623891-0
                • Opcode ID: bd49e1a5d28b644024918d9d4454ea64ee7f8194e73d7ec67c8f9b56094ff4ce
                • Instruction ID: 969dc5d40b623eaa7e188f88b8160704ab18887d68711134461f9f0c4397065a
                • Opcode Fuzzy Hash: bd49e1a5d28b644024918d9d4454ea64ee7f8194e73d7ec67c8f9b56094ff4ce
                • Instruction Fuzzy Hash: CE1134B29003499FDB10CFAAC854BDEBFF8EB58324F14841AE914A7210C338A954CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 029A32D8, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,00DD53E8,00000000,?), ref: 029AE73D
                Memory Dump Source
                • Source File: 00000004.00000002.628664089.00000000029A0000.00000040.00000001.sdmp, Offset: 029A0000, based on PE: false
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 86d49cff3cfd169c3bd2208246c1c26bd2612a6eaa25454d74b6a7e9c67f6d92
                • Instruction ID: 1b59e4d42760b5e91a03c440a1c186917efa620da6f67c744eaed3e2b891f368
                • Opcode Fuzzy Hash: 86d49cff3cfd169c3bd2208246c1c26bd2612a6eaa25454d74b6a7e9c67f6d92
                • Instruction Fuzzy Hash: D81128B59003499FDB10CF99C445BEEBBF8EB48324F148469E554A3241D378A954CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 029AC3D0, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,029A226A,?,00000000,?), ref: 029AC435
                Memory Dump Source
                • Source File: 00000004.00000002.628664089.00000000029A0000.00000040.00000001.sdmp, Offset: 029A0000, based on PE: false
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 6717827a2b0730901f8a184c5790505da48de7c729b1d37c3eed4421e6488360
                • Instruction ID: d609ef8af0ef91721b7240593ecb5d1a22098116077debaa0fb4c0ea0635e198
                • Opcode Fuzzy Hash: 6717827a2b0730901f8a184c5790505da48de7c729b1d37c3eed4421e6488360
                • Instruction Fuzzy Hash: 271125B58003489FDB10CF99C985BEFBFF8EB48324F14845AE554A7200C374A946CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 029AD238, Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00000018,00000001,?), ref: 029AD29D
                Memory Dump Source
                • Source File: 00000004.00000002.628664089.00000000029A0000.00000040.00000001.sdmp, Offset: 029A0000, based on PE: false
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 0418183477d6a782ea8c9cb0fc00a004305745c86f977f188e58c6e404529c92
                • Instruction ID: 65cc60bac1c2a28a52b0f4d61fd8fd5758fc01d22a5f7fa228ce0d206a43993c
                • Opcode Fuzzy Hash: 0418183477d6a782ea8c9cb0fc00a004305745c86f977f188e58c6e404529c92
                • Instruction Fuzzy Hash: 1E11F2B9804349DFDB10DF99C985BDEBBF8FB48324F14885AE914A7600D374A984CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 029AF3D8, Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                Download Yara Rule
                APIs
                • OleInitialize.OLE32(00000000), ref: 029AF435
                Memory Dump Source
                • Source File: 00000004.00000002.628664089.00000000029A0000.00000040.00000001.sdmp, Offset: 029A0000, based on PE: false
                Similarity
                • API ID: Initialize
                • String ID:
                • API String ID: 2538663250-0
                • Opcode ID: 6e8512448f2eac0b2c9d4a7a969da6ebd333f84d4ac66009e720e890ac6f3883
                • Instruction ID: 7a64bad0ce0069e092a0968bd667aee81273c88db116321b8ab776ddf658d0c3
                • Opcode Fuzzy Hash: 6e8512448f2eac0b2c9d4a7a969da6ebd333f84d4ac66009e720e890ac6f3883
                • Instruction Fuzzy Hash: FA1148B1D043488FCB20CFA9C4897DEBFF4EB48324F148559D458A7600C339A94ACFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 010495C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 0104962E
                Memory Dump Source
                • Source File: 00000004.00000002.627824509.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: 3beda732239ac2d32d34264805dac47f4dde0302094da3ce12861ba758a06eed
                • Instruction ID: 3294a286ca20fd44fd7b3b928de0c426e8b61aa13c32e279aecbb0a1def6f1d2
                • Opcode Fuzzy Hash: 3beda732239ac2d32d34264805dac47f4dde0302094da3ce12861ba758a06eed
                • Instruction Fuzzy Hash: 4311E0B6D002498FDB10CF9AC484BDFFBF4EB88328F15846AD859A7600D378A545CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 029A50D4, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00000018,00000001,?), ref: 029AD29D
                Memory Dump Source
                • Source File: 00000004.00000002.628664089.00000000029A0000.00000040.00000001.sdmp, Offset: 029A0000, based on PE: false
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 20a57c7c69b27d096545a1fec69c4ff37ab3aefe75aa2964001a1df174798bdf
                • Instruction ID: d14780eacade0784f51e55d4bcc5a6cd4d5831d9cd3a0d52e948f910ee8bd77c
                • Opcode Fuzzy Hash: 20a57c7c69b27d096545a1fec69c4ff37ab3aefe75aa2964001a1df174798bdf
                • Instruction Fuzzy Hash: 4E1103B59003489FDB10DF9AC989BDFBBF8EB48324F148859E914A7700C374A944CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 029AA548, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000), ref: 029ABCBD
                Memory Dump Source
                • Source File: 00000004.00000002.628664089.00000000029A0000.00000040.00000001.sdmp, Offset: 029A0000, based on PE: false
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: ff31a8ce03d37d14759498a8b5d0b15bf8618fdeb2cec3673a1de8057afc27e5
                • Instruction ID: 81b32fe9d4c13881f27c671c8c239dc76b3e4264e0a66023c3c741b8170d99c2
                • Opcode Fuzzy Hash: ff31a8ce03d37d14759498a8b5d0b15bf8618fdeb2cec3673a1de8057afc27e5
                • Instruction Fuzzy Hash: 5711E0B59003489FCB10DF99C599BDEBBF8EB58324F148459E914A7200C374A945CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 029A1540, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,029A226A,?,00000000,?), ref: 029AC435
                Memory Dump Source
                • Source File: 00000004.00000002.628664089.00000000029A0000.00000040.00000001.sdmp, Offset: 029A0000, based on PE: false
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 556ac516273e8ce05b99c308ec9ff5be9af68d3e83b398658143dc15379ca937
                • Instruction ID: 8998c81baf9ceaff0eaf4367c8a2de09148a420cc07ad40bf2d6d7c3b66b4556
                • Opcode Fuzzy Hash: 556ac516273e8ce05b99c308ec9ff5be9af68d3e83b398658143dc15379ca937
                • Instruction Fuzzy Hash: 4711F5B59003489FCB10DF99C545BDEBBF8EB48324F14845AE514A7600C374A944CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 029ABC59, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000), ref: 029ABCBD
                Memory Dump Source
                • Source File: 00000004.00000002.628664089.00000000029A0000.00000040.00000001.sdmp, Offset: 029A0000, based on PE: false
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 7ae99141340f2b0d96e0298f011b732c239e58e9fc600b41917d7ebd393bae03
                • Instruction ID: 2276f6e17aa33392c61936ff1f3ef51ee02786e10d47779683993fd58f2d8daf
                • Opcode Fuzzy Hash: 7ae99141340f2b0d96e0298f011b732c239e58e9fc600b41917d7ebd393bae03
                • Instruction Fuzzy Hash: 271103B59003499FDB20CF99D599BDFBBF4EB58324F148459E854A7200C374A945CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 029ADC60, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                Download Yara Rule
                APIs
                • OleInitialize.OLE32(00000000), ref: 029AF435
                Memory Dump Source
                • Source File: 00000004.00000002.628664089.00000000029A0000.00000040.00000001.sdmp, Offset: 029A0000, based on PE: false
                Similarity
                • API ID: Initialize
                • String ID:
                • API String ID: 2538663250-0
                • Opcode ID: 73e8ca79accecc2502422f96cf7b73e04b614fa20f919c114b008cb9a675a9dc
                • Instruction ID: e8aae4727b197e43c11ca36b25796bbef4b6d1cf10cccf6b90c87e936163a5d1
                • Opcode Fuzzy Hash: 73e8ca79accecc2502422f96cf7b73e04b614fa20f919c114b008cb9a675a9dc
                • Instruction Fuzzy Hash: 2E1115B59043488FCB10DF99C448BDEBBF4EB48364F158459D519A7700D779A944CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0104FE38, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                Download Yara Rule
                APIs
                • SetWindowLongW.USER32(?,?,?), ref: 0104FE9D
                Memory Dump Source
                • Source File: 00000004.00000002.627824509.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                Similarity
                • API ID: LongWindow
                • String ID:
                • API String ID: 1378638983-0
                • Opcode ID: e4d1aa28d77635712bcda741744e6229ca1dd6b43aad18670e12d26a18db899a
                • Instruction ID: 9d7a2e59355b9c10b553d497506e892e57371f2bc51c109d3c52b58e44c8eb0f
                • Opcode Fuzzy Hash: e4d1aa28d77635712bcda741744e6229ca1dd6b43aad18670e12d26a18db899a
                • Instruction Fuzzy Hash: 501103B5800249CFDB10CF99D585BDEFBF8FB48324F14845AD854A7201C374A984CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0104FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                Download Yara Rule
                APIs
                • SetWindowLongW.USER32(?,?,?), ref: 0104FE9D
                Memory Dump Source
                • Source File: 00000004.00000002.627824509.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                Similarity
                • API ID: LongWindow
                • String ID:
                • API String ID: 1378638983-0
                • Opcode ID: 0cbd3cd39dac2999959d80b55e79c3216191c0dc0b6f0cc2f06aec157a932662
                • Instruction ID: e0406538e7ba0eed385d4a9e8fb9f8a52327f0301982a9e7ed5e943db48c28ee
                • Opcode Fuzzy Hash: 0cbd3cd39dac2999959d80b55e79c3216191c0dc0b6f0cc2f06aec157a932662
                • Instruction Fuzzy Hash: 141112B58002498FDB20CF9AD585BDFBBF8EB88324F14845AE954A7300C374A944CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00D3D4A0, Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.627427745.0000000000D3D000.00000040.00000001.sdmp, Offset: 00D3D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ae868e68ad0894f68ca3a9433cc0e0bc9c838d0f44c9bc1fa45cc54ee9d0078c
                • Instruction ID: 663b77a6692a6c6f6cf2fe4bb8bcbecddf7dbfa009c79e7c191ae0a800da7b73
                • Opcode Fuzzy Hash: ae868e68ad0894f68ca3a9433cc0e0bc9c838d0f44c9bc1fa45cc54ee9d0078c
                • Instruction Fuzzy Hash: 1A210AB1508240DFDB05DF14E9C0B26BF66FB94328F24C569E9464B256C336D855CFB1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00D4D01C, Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.627475998.0000000000D4D000.00000040.00000001.sdmp, Offset: 00D4D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 45f094e0121790ce4b600180f91b61b3fdf479b997600e66ca41e95d91116d82
                • Instruction ID: 273b1d3363bee98e24884d450cb90e6c2660f66b0eceb62d4da5bee6f60a35a5
                • Opcode Fuzzy Hash: 45f094e0121790ce4b600180f91b61b3fdf479b997600e66ca41e95d91116d82
                • Instruction Fuzzy Hash: 8A21D475508244DFDB14DF24D9C4B26BB66FB84314F28C5A9E94A4B346C33AD847CB71
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00D4D005, Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.627475998.0000000000D4D000.00000040.00000001.sdmp, Offset: 00D4D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 59a67e7f192807138d7ca40f4fb40325236298c35548d55c03b16588dfd605e4
                • Instruction ID: b2b1a232f71d242a1ef36a1fd928ddffcbe8e0e07adaf19144de9d73b85ef3fe
                • Opcode Fuzzy Hash: 59a67e7f192807138d7ca40f4fb40325236298c35548d55c03b16588dfd605e4
                • Instruction Fuzzy Hash: FB2180755093C08FCB02CF20D994715BF71EB46314F29C5EAD8498B697C33A984ACB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00D3D49B, Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.627427745.0000000000D3D000.00000040.00000001.sdmp, Offset: 00D3D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 19a4610e377f139d1a44d723f741f34ad4651ab4acb05f468be59ed9d3ee3f9e
                • Instruction ID: d1e7b19306f6fe99eee9f2d050e78070542caa5d3e76fa3de70684ec6f0ee6dc
                • Opcode Fuzzy Hash: 19a4610e377f139d1a44d723f741f34ad4651ab4acb05f468be59ed9d3ee3f9e
                • Instruction Fuzzy Hash: 0111B176804280CFCB16CF14D9C4B56BF72FB95324F28C6A9D8050B616C336D85ACFA2
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Analysis Process: New Order_1132012_xlxs.exe PID: 6396 Parent PID: 904 New Order_1132012_xlxs.exeCOMMON

                Executed Functions

                Function 0148BFB8, Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32 ref: 0148C028
                • GetCurrentThread.KERNEL32 ref: 0148C065
                • GetCurrentProcess.KERNEL32 ref: 0148C0A2
                • GetCurrentThreadId.KERNEL32 ref: 0148C0FB
                Memory Dump Source
                • Source File: 00000009.00000002.276595973.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                Similarity
                • API ID: Current$ProcessThread
                • String ID:
                • API String ID: 2063062207-0
                • Opcode ID: 5330390bf5be543a10214859c3a749fda13c6abd324c7a8f67e0b3311ab857ac
                • Instruction ID: d8361289584fc30121db33667c6ade88a3052e23ae39080941ffdd048086616b
                • Opcode Fuzzy Hash: 5330390bf5be543a10214859c3a749fda13c6abd324c7a8f67e0b3311ab857ac
                • Instruction Fuzzy Hash: 0D5164B09003499FEB14DFA9D588BDEBFF1AF4A304F24849AE419A77A1C7349845CF25
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0148BFC8, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32 ref: 0148C028
                • GetCurrentThread.KERNEL32 ref: 0148C065
                • GetCurrentProcess.KERNEL32 ref: 0148C0A2
                • GetCurrentThreadId.KERNEL32 ref: 0148C0FB
                Memory Dump Source
                • Source File: 00000009.00000002.276595973.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                Similarity
                • API ID: Current$ProcessThread
                • String ID:
                • API String ID: 2063062207-0
                • Opcode ID: ef8811eb05a6b3b280ed5168564f3fbdc1e6abe741a8451bde2b936bae6e1c52
                • Instruction ID: ae86ab6e743f2c884a055debdc2c4b6aec0adf013bbe5e402357effa22ccfbdb
                • Opcode Fuzzy Hash: ef8811eb05a6b3b280ed5168564f3fbdc1e6abe741a8451bde2b936bae6e1c52
                • Instruction Fuzzy Hash: 3B5164B4900249DFEB14DFAAD588BDEBBF1EF49304F24845AE409A77A0C734A845CF65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01489CD0, Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 01489F16
                Memory Dump Source
                • Source File: 00000009.00000002.276595973.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: 7fdd3c60eefcab771ebe77aad49ad579665117c0b6b6ce316f1ee4ece4c8e6b5
                • Instruction ID: 4b32084d1bcb461913be79ad508e15db5bca43fce46af3d45a588db25a22c23c
                • Opcode Fuzzy Hash: 7fdd3c60eefcab771ebe77aad49ad579665117c0b6b6ce316f1ee4ece4c8e6b5
                • Instruction Fuzzy Hash: 71713470A00B059FD724EF2AD08476BBBF5BF88208F00892ED58AD7B50D734E9468B91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01485364, Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                Download Yara Rule
                APIs
                • CreateActCtxA.KERNEL32(?), ref: 01485421
                Memory Dump Source
                • Source File: 00000009.00000002.276595973.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: 9f52582b6b83c51f4cd77c419ada91c324b7637d20c5ae0083127aa4e87d48f6
                • Instruction ID: 70b0daf0f087844a634c718d03441cb8c35d81cd5d631a99b65b4f350a939954
                • Opcode Fuzzy Hash: 9f52582b6b83c51f4cd77c419ada91c324b7637d20c5ae0083127aa4e87d48f6
                • Instruction Fuzzy Hash: 75413270D04718CFDB24DFA9D844BCEBBB5BF49318F25806AD408AB250D775698ACF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01483E18, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                Download Yara Rule
                APIs
                • CreateActCtxA.KERNEL32(?), ref: 01485421
                Memory Dump Source
                • Source File: 00000009.00000002.276595973.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: d3a52699898f64c66d47356719ae5785e4267d366309809575690a9424b93803
                • Instruction ID: 3f9323ed8dffd1dc0ef212d5c874f5906e1b6891d64fd218581afff0db9f019a
                • Opcode Fuzzy Hash: d3a52699898f64c66d47356719ae5785e4267d366309809575690a9424b93803
                • Instruction Fuzzy Hash: 6941F270D04318CBDB24DFA9D844B8EBBB5BF48318F25806AD419AB350D775694ACF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0148C1E8, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0148C277
                Memory Dump Source
                • Source File: 00000009.00000002.276595973.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: 942c5439c5840af094ed9a4267f390ac06a1f4753c3bb0c436f8284e5aeef043
                • Instruction ID: ed3291e06d9a51488aac3eccc2c966d04728365716daecf095cdbf84f69ab8f4
                • Opcode Fuzzy Hash: 942c5439c5840af094ed9a4267f390ac06a1f4753c3bb0c436f8284e5aeef043
                • Instruction Fuzzy Hash: 1421F2B5D00248AFDB10CFAAD884AEEBFF4EB48320F15841AE954A3250C378A945CF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0148C1F0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0148C277
                Memory Dump Source
                • Source File: 00000009.00000002.276595973.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: 98bf32241000a9e41065d350373d22a7593b100388d0877d0778390e1ad5fb11
                • Instruction ID: 868a4b048d1aa02af8ab6de0a1b49b66931c095f7e58bb3c342eea9443b16dcf
                • Opcode Fuzzy Hash: 98bf32241000a9e41065d350373d22a7593b100388d0877d0778390e1ad5fb11
                • Instruction Fuzzy Hash: DB21C4B5D00259DFDB10CFAAD484ADEBBF8FB48324F15841AE914A7350D378A954CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01489230, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01489F91,00000800,00000000,00000000), ref: 0148A1A2
                Memory Dump Source
                • Source File: 00000009.00000002.276595973.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 5ada895c5e7ad611ff9fb225382d5f2aef4d8e0caa785e1f1c1b64927fb6f36f
                • Instruction ID: 1ec02301ece32e62dc0eab19b82f93a9ca6261453ae812faa9be9a99af4a9787
                • Opcode Fuzzy Hash: 5ada895c5e7ad611ff9fb225382d5f2aef4d8e0caa785e1f1c1b64927fb6f36f
                • Instruction Fuzzy Hash: 191103B69002089FDB10DF9AD444B9EFBF4EB98354F15842AE915A7310C3B9A945CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0148A130, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01489F91,00000800,00000000,00000000), ref: 0148A1A2
                Memory Dump Source
                • Source File: 00000009.00000002.276595973.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 240ef03440ec9cd85e9c5d246ee063ae8bde0f5e1c32915b2cb73c0118ce16dd
                • Instruction ID: 31f8c5440d46f1f35a2671e9e8288c1cc68024d42540ce58a9c989a8cc821dbf
                • Opcode Fuzzy Hash: 240ef03440ec9cd85e9c5d246ee063ae8bde0f5e1c32915b2cb73c0118ce16dd
                • Instruction Fuzzy Hash: 8B1117B6C002489FDB10CFAAD484BDEFBF4AB98354F15852AD815A7310C379A545CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01489EB0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 01489F16
                Memory Dump Source
                • Source File: 00000009.00000002.276595973.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: 93106daf5c03db79130520a71f940deb461e1dda8617399c7f01316445c86dab
                • Instruction ID: 42ba502b93fa44b96eb81b6bbdf45bd31aef37dc593f8eca73091702c1a149ae
                • Opcode Fuzzy Hash: 93106daf5c03db79130520a71f940deb461e1dda8617399c7f01316445c86dab
                • Instruction Fuzzy Hash: E71110B6C007498FDB14DF9AC444BDEFBF8EB88224F14842AD929B7610C378A545CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0122D4EC, Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.276021937.000000000122D000.00000040.00000001.sdmp, Offset: 0122D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 99877e195455b23b34bbaa27e46d78c5211fb1e552e3f5952958cbba24868d95
                • Instruction ID: be4a6c20c370a82cb9131d2ef11241ce3e2068fa98826b404fb81adcd43f3e5a
                • Opcode Fuzzy Hash: 99877e195455b23b34bbaa27e46d78c5211fb1e552e3f5952958cbba24868d95
                • Instruction Fuzzy Hash: 72216AB1514248EFDB15DF94E9C0B2EBF61FB88328F24C568E9050B207C3B6D465CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0123D01C, Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.276049991.000000000123D000.00000040.00000001.sdmp, Offset: 0123D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e8fa0354eda715cb892a26662bfbe33d913677de0320c317c337509981cf5b5f
                • Instruction ID: 63deec570410d0de45abeceace3b2afefd2295f3d2b429f5c516baba159d4e1f
                • Opcode Fuzzy Hash: e8fa0354eda715cb892a26662bfbe33d913677de0320c317c337509981cf5b5f
                • Instruction Fuzzy Hash: B32142B1628208DFCB14CFA4D8C0B26FB61FBC4B54F64C969E94A4B246C336D846CA61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0123D006, Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.276049991.000000000123D000.00000040.00000001.sdmp, Offset: 0123D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9a9fb611a2f7fb2031f1e6a7492ff86a2cf5632d3539d7ef9217c63a91fbcbe5
                • Instruction ID: 82775f17778dfa242b444a53e018119a356b61b47074ef3a6712633479ab87d7
                • Opcode Fuzzy Hash: 9a9fb611a2f7fb2031f1e6a7492ff86a2cf5632d3539d7ef9217c63a91fbcbe5
                • Instruction Fuzzy Hash: 0C217FB54083849FCB02CF64D994B11BF71EB86714F28C5DAD9458B267C33A985ACB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0122D4E7, Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.276021937.000000000122D000.00000040.00000001.sdmp, Offset: 0122D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 19a4610e377f139d1a44d723f741f34ad4651ab4acb05f468be59ed9d3ee3f9e
                • Instruction ID: 734912045fdfe862d14b0d6a44e4fbd27e654d363207618ab0a28c5f07f1ffd9
                • Opcode Fuzzy Hash: 19a4610e377f139d1a44d723f741f34ad4651ab4acb05f468be59ed9d3ee3f9e
                • Instruction Fuzzy Hash: C8110376404284DFCB12CF44D5C0B5ABF72FB88324F28C6A9D9050B217C33AD46ACBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0122D745, Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.276021937.000000000122D000.00000040.00000001.sdmp, Offset: 0122D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 57f34dc3b492233dd8564b81be206e0cf51cca4f5ef511284714924465720e3c
                • Instruction ID: 30c3281ee8142b2c9f97113901e2da906876f0e2bdd4b7f732f1c992605b1e4d
                • Opcode Fuzzy Hash: 57f34dc3b492233dd8564b81be206e0cf51cca4f5ef511284714924465720e3c
                • Instruction Fuzzy Hash: E401F7714283A8AAE7244E65CDC4B6ABBD8DF41264F08C51AEF044A246D37D9441C6B1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0122D744, Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.276021937.000000000122D000.00000040.00000001.sdmp, Offset: 0122D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4ae87c47cc70ed979da1532225e7d5f0117e3f00200e9816275aefd572a51700
                • Instruction ID: 787e3fe444d6b9b9e4ac993dce6b560a725d674816c1a227870e8a73b1f819f5
                • Opcode Fuzzy Hash: 4ae87c47cc70ed979da1532225e7d5f0117e3f00200e9816275aefd572a51700
                • Instruction Fuzzy Hash: B0F09C75404394AEE7158F55CCC4B66FFD8DB81774F18C45AEE045B286C37D9844CAB1
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Analysis Process: dhcpmon.exe PID: 6408 Parent PID: 904 dhcpmon.exeCOMMON

                Executed Functions

                Function 00859CD0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 196COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 00859F16
                Strings
                Memory Dump Source
                • Source File: 0000000A.00000002.275124131.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false
                Similarity
                • API ID: HandleModule
                • String ID: pOn$pOn
                • API String ID: 4139908857-255996268
                • Opcode ID: 5d2eadcd7ce0c1bdca7d75bbb6f1ea6acf8e71bddc19ee40557117ffad9e9fa4
                • Instruction ID: 84cac5971689564f96c87ebd606ccc0bb02d4f56f203ed790863cf4479a0b2a3
                • Opcode Fuzzy Hash: 5d2eadcd7ce0c1bdca7d75bbb6f1ea6acf8e71bddc19ee40557117ffad9e9fa4
                • Instruction Fuzzy Hash: 5B711670A00B05CFDB24DF29D54575ABBF5FF88305F00892ED88AD7A40D775E9498B91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04A807C6, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                Download Yara Rule
                APIs
                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04A808E2
                Memory Dump Source
                • Source File: 0000000A.00000002.280125044.0000000004A80000.00000040.00000001.sdmp, Offset: 04A80000, based on PE: false
                Similarity
                • API ID: CreateWindow
                • String ID:
                • API String ID: 716092398-0
                • Opcode ID: 73301528f24da577569830382e1b0ff744853270c2d2f5186ae1d638393dc08e
                • Instruction ID: 028d9ea14923db5934fbfedfb7e80f4518ee5e82aa82c4829ae44f8f216a8021
                • Opcode Fuzzy Hash: 73301528f24da577569830382e1b0ff744853270c2d2f5186ae1d638393dc08e
                • Instruction Fuzzy Hash: 5A51E2B1D04309DFDB14DF99C880ADEBBB5FF48314F25852AE818AB250D774A885CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04A807D0, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                Download Yara Rule
                APIs
                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04A808E2
                Memory Dump Source
                • Source File: 0000000A.00000002.280125044.0000000004A80000.00000040.00000001.sdmp, Offset: 04A80000, based on PE: false
                Similarity
                • API ID: CreateWindow
                • String ID:
                • API String ID: 716092398-0
                • Opcode ID: 5de29e4717303be6e1f78637db9363a0a8b1b5dbaddeefd54de762112b73cc09
                • Instruction ID: e9277b7c8bd8099e1745eef19877a387af8f078c3d0e01d1c214696192b125e1
                • Opcode Fuzzy Hash: 5de29e4717303be6e1f78637db9363a0a8b1b5dbaddeefd54de762112b73cc09
                • Instruction Fuzzy Hash: A941D2B1D04309DFDB14DF99C880ADEBBB5FF48314F25852AE819AB210D770A885CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00855364, Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                Download Yara Rule
                APIs
                • CreateActCtxA.KERNEL32(?), ref: 00855421
                Memory Dump Source
                • Source File: 0000000A.00000002.275124131.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: a40956e407fb27941d829e01496496cad62de551787992d25555f66cd51460d4
                • Instruction ID: 81dbd0e5ebf41cf9591495138cd43abccae9bb6045ce838bfa4a713d5ba6d14f
                • Opcode Fuzzy Hash: a40956e407fb27941d829e01496496cad62de551787992d25555f66cd51460d4
                • Instruction Fuzzy Hash: 2C4103B0C04629CFDB24DFA9C8847CDBBB1FF88319F118069D408AB251D7B5698ACF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00853E18, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                Download Yara Rule
                APIs
                • CreateActCtxA.KERNEL32(?), ref: 00855421
                Memory Dump Source
                • Source File: 0000000A.00000002.275124131.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: 4fbbbab1c5ac11080f1dd7f849c0277f94083201cb29933cd98e8b568a994fcb
                • Instruction ID: aeee35650ea19055185cca55e07dabc0ec4164d3a8ffce780909daca2ecc6881
                • Opcode Fuzzy Hash: 4fbbbab1c5ac11080f1dd7f849c0277f94083201cb29933cd98e8b568a994fcb
                • Instruction Fuzzy Hash: 3641D2B0C04718CBDB24DFA9C94479EBBB1FF89319F218069D409BB251D775698ACF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04A82D80, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                Download Yara Rule
                APIs
                • CallWindowProcW.USER32(?,?,?,?,?), ref: 04A82E41
                Memory Dump Source
                • Source File: 0000000A.00000002.280125044.0000000004A80000.00000040.00000001.sdmp, Offset: 04A80000, based on PE: false
                Similarity
                • API ID: CallProcWindow
                • String ID:
                • API String ID: 2714655100-0
                • Opcode ID: f74559deaeb6b1535f26b5ae741f0fe40aa3bfa57c011d258ae1c7ae1327688c
                • Instruction ID: ae1eedbc54bc4b70a73fa38fdd120b8b229906a01d5f921010377946bd69317e
                • Opcode Fuzzy Hash: f74559deaeb6b1535f26b5ae741f0fe40aa3bfa57c011d258ae1c7ae1327688c
                • Instruction Fuzzy Hash: 684135B5A00345CFDB14DF99C888BAABBF5FB88314F258498D519AB321D334A841CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0085B3FC, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0085C1B6,?,?,?,?,?), ref: 0085C277
                Memory Dump Source
                • Source File: 0000000A.00000002.275124131.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: 425cfff7a7cd987b4769dd776f343e7bda618e3215788354b71b7aea8e445172
                • Instruction ID: 4a2099b52df2106267efd9749dce6eca690c090e08e4996461f861c20da1fa7c
                • Opcode Fuzzy Hash: 425cfff7a7cd987b4769dd776f343e7bda618e3215788354b71b7aea8e445172
                • Instruction Fuzzy Hash: 4D21D2B5900319EFDB10CFAAD484ADEBBF4FB48324F14841AE914A7210D374A954CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0085C1E8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0085C1B6,?,?,?,?,?), ref: 0085C277
                Memory Dump Source
                • Source File: 0000000A.00000002.275124131.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: faa58d179fa94658885962ad07f11081b14c346d74455e67448d2b94703d11bf
                • Instruction ID: cea098dba5a491c22d324c21ca56cc6ea4e3f9daa4c51374c31210ebf575e4f9
                • Opcode Fuzzy Hash: faa58d179fa94658885962ad07f11081b14c346d74455e67448d2b94703d11bf
                • Instruction Fuzzy Hash: 9E2100B5D01359EFDB00CFAAD884ADEBBF4FB48324F15841AE914A7210C378A955CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00859230, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00859F91,00000800,00000000,00000000), ref: 0085A1A2
                Memory Dump Source
                • Source File: 0000000A.00000002.275124131.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: b0598d6487dea1112796960cadc2f001f222466b02d8ddcc13448dab3dbf35d3
                • Instruction ID: 6d601859fbf3ad1fb24a082250dc63d4b8c02816066348aeda484b1846c0ac08
                • Opcode Fuzzy Hash: b0598d6487dea1112796960cadc2f001f222466b02d8ddcc13448dab3dbf35d3
                • Instruction Fuzzy Hash: 281106B59006099FDB14CF9AC484B9EFBF4EB98314F15852AE915A7200C774A949CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0085A130, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00859F91,00000800,00000000,00000000), ref: 0085A1A2
                Memory Dump Source
                • Source File: 0000000A.00000002.275124131.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: da07c91e8d386eacb92f038902e0cd283ce4a507dcea87d5c0e9d5d553404e33
                • Instruction ID: 19d0fd888d33eb8d9b48be3eea0ed0e0639389b1d74cd96899ecadf0ba9a63d7
                • Opcode Fuzzy Hash: da07c91e8d386eacb92f038902e0cd283ce4a507dcea87d5c0e9d5d553404e33
                • Instruction Fuzzy Hash: 591137B6D006099FDB10CFAAC484BDEFBF4FB88324F15852AD915A7200D374A949CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00859EB0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 00859F16
                Memory Dump Source
                • Source File: 0000000A.00000002.275124131.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: f560bc92dc187fffc1ba5920edd24f2a27731692f408282aa838d1262ec50ccb
                • Instruction ID: f509fac67c7db7931ec4589ee1a95573af9c9d8f9617e8b05f815947613dc659
                • Opcode Fuzzy Hash: f560bc92dc187fffc1ba5920edd24f2a27731692f408282aa838d1262ec50ccb
                • Instruction Fuzzy Hash: F311DFB6C00649CFDB10DF9AD444BDEFBF4EB88324F15842AD869A7600D378A549CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04A80A18, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                Download Yara Rule
                APIs
                • SetWindowLongW.USER32(?,?,?), ref: 04A80A75
                Memory Dump Source
                • Source File: 0000000A.00000002.280125044.0000000004A80000.00000040.00000001.sdmp, Offset: 04A80000, based on PE: false
                Similarity
                • API ID: LongWindow
                • String ID:
                • API String ID: 1378638983-0
                • Opcode ID: 32fb6601595225af262a3c643c2258fa35920e455f3eeb526a7031f68d2ea77e
                • Instruction ID: eb3e88b2334be0381fc205cbbca320794efcd52a62ccfeeb5c0dfc837dcf6ce2
                • Opcode Fuzzy Hash: 32fb6601595225af262a3c643c2258fa35920e455f3eeb526a7031f68d2ea77e
                • Instruction Fuzzy Hash: CC1100B5800249DFDB10DF9AC484BDEFBF8EB48324F14841AE855A7200C374A954CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04A80A10, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                Download Yara Rule
                APIs
                • SetWindowLongW.USER32(?,?,?), ref: 04A80A75
                Memory Dump Source
                • Source File: 0000000A.00000002.280125044.0000000004A80000.00000040.00000001.sdmp, Offset: 04A80000, based on PE: false
                Similarity
                • API ID: LongWindow
                • String ID:
                • API String ID: 1378638983-0
                • Opcode ID: 7ad432a7b81f2b4ec2b43393c3eb30cfb966ae2479925ed525560c4511d35205
                • Instruction ID: 052efb55e53dfb7919613689128fc6c736dd72c29a908ce843b505d65de35553
                • Opcode Fuzzy Hash: 7ad432a7b81f2b4ec2b43393c3eb30cfb966ae2479925ed525560c4511d35205
                • Instruction Fuzzy Hash: 8E1142B990024ACFDB10CF99D484BDEFBF4EB48324F14881AD859A7740C378A955CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 006DD4EC, Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000A.00000002.274969459.00000000006DD000.00000040.00000001.sdmp, Offset: 006DD000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 40eb0c990303a51114ca39836546d2db42d30d3845b449d585d91060c582bfd4
                • Instruction ID: 0351c7de31936641c75f1d023d37e749b5a9304646573395440f6f8f3da6efac
                • Opcode Fuzzy Hash: 40eb0c990303a51114ca39836546d2db42d30d3845b449d585d91060c582bfd4
                • Instruction Fuzzy Hash: 9C210DB1904244EFDB05EF50E9C0F66BF66FB94318F24C56AD9054B346C336D856C7A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 006ED01C, Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000A.00000002.275027080.00000000006ED000.00000040.00000001.sdmp, Offset: 006ED000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1bcc272e96fd645fa0119ffee813c7dca3823c674142bc7c90d06d2596aea34d
                • Instruction ID: 7312f12253d363566154f536bd479b9409a5a2507fa495693ffef34827bda460
                • Opcode Fuzzy Hash: 1bcc272e96fd645fa0119ffee813c7dca3823c674142bc7c90d06d2596aea34d
                • Instruction Fuzzy Hash: FC210475508380DFCB14DF20D9C4B26BB66FB84314F28C569E94A4B346C336D847CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 006ED006, Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000A.00000002.275027080.00000000006ED000.00000040.00000001.sdmp, Offset: 006ED000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f0a4e52d545a30b8a4d0fb3951cefabedefc7706c9a178547f59a7d0706c0d43
                • Instruction ID: 8f590602e7aff300519558d9ce84814685742ed99edc6a6358fac2a4a23ed8e2
                • Opcode Fuzzy Hash: f0a4e52d545a30b8a4d0fb3951cefabedefc7706c9a178547f59a7d0706c0d43
                • Instruction Fuzzy Hash: 402192755093C08FCB02CF20D990755BF71EB46314F29C5DAD8498F6A7C33A984ACB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 006DD4E7, Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000A.00000002.274969459.00000000006DD000.00000040.00000001.sdmp, Offset: 006DD000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 19a4610e377f139d1a44d723f741f34ad4651ab4acb05f468be59ed9d3ee3f9e
                • Instruction ID: a9ca9cc42c58240ffaf301be6f20a63601a20c390335a42ccf4ad460de8a1ca3
                • Opcode Fuzzy Hash: 19a4610e377f139d1a44d723f741f34ad4651ab4acb05f468be59ed9d3ee3f9e
                • Instruction Fuzzy Hash: F511D376804280CFCB15DF10D5C4B56BF72FB98324F28C6AAD8450B756C336D85ACBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 006DD745, Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000A.00000002.274969459.00000000006DD000.00000040.00000001.sdmp, Offset: 006DD000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 408b0c1641c0c8304889102b369f27501392cc661246a790e227fd0f79e3cfd6
                • Instruction ID: 13099232c6246c1b8d011cad55b7050def0e5c33128e1d418df88be6184117e7
                • Opcode Fuzzy Hash: 408b0c1641c0c8304889102b369f27501392cc661246a790e227fd0f79e3cfd6
                • Instruction Fuzzy Hash: CF01F771808354AAE7206A21CDC4B66BB98EF51364F19C59BED044A386D379D841CAB1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 006DD744, Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000A.00000002.274969459.00000000006DD000.00000040.00000001.sdmp, Offset: 006DD000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 07eac7bce8bc4ba2da086e8038f06b0ca759a0cfc342c3c88fef46d5f2eea18b
                • Instruction ID: e85dca428d36168ad3bf576fdc9a58d1250c87ae1c12bd19e3f9bf2d194ee4a2
                • Opcode Fuzzy Hash: 07eac7bce8bc4ba2da086e8038f06b0ca759a0cfc342c3c88fef46d5f2eea18b
                • Instruction Fuzzy Hash: 82F0C271808654AEE7209E16CCC4BA2FBA8EB91374F18C05AED084B386C3799844CAB0
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions