Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE

Overview

General Information

Sample Name:TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE
Analysis ID:343026
MD5:d40d97b41a353bc42b0e7ebe451886d9
SHA1:8e416c76489782a32eade1b03bcd26dce3f19a82
SHA256:23b46a12d6b6a703b8e588d24f3c0018cf749556b021b514b963587e7adaa25b
Tags:EXENanoCore

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE (PID: 5816 cmdline: 'C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE' MD5: D40D97B41A353BC42B0E7EBE451886D9)
    • conhost.exe (PID: 1372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MSBuild.exe (PID: 2204 cmdline: 'C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE' MD5: D621FD77BD585874F9686D3A76462EF1)
      • schtasks.exe (PID: 7024 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp731A.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6764 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp7609.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • MSBuild.exe (PID: 6908 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 0 MD5: D621FD77BD585874F9686D3A76462EF1)
    • conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6968 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: D621FD77BD585874F9686D3A76462EF1)
    • conhost.exe (PID: 6796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 2480 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: D621FD77BD585874F9686D3A76462EF1)
    • conhost.exe (PID: 6080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["91.193.75.155"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.656614146.0000000000AB0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1018d:$x1: NanoCore.ClientPluginHost
  • 0x101ca:$x2: IClientNetworkHost
  • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.656614146.0000000000AB0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xff05:$x1: NanoCore Client.exe
  • 0x1018d:$x2: NanoCore.ClientPluginHost
  • 0x117c6:$s1: PluginCommand
  • 0x117ba:$s2: FileCommand
  • 0x1266b:$s3: PipeExists
  • 0x18422:$s4: PipeCreated
  • 0x101b7:$s5: IClientLoggingHost
00000001.00000002.656614146.0000000000AB0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000001.00000002.656614146.0000000000AB0000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfef5:$a: NanoCore
    • 0xff05:$a: NanoCore
    • 0x10139:$a: NanoCore
    • 0x1014d:$a: NanoCore
    • 0x1018d:$a: NanoCore
    • 0xff54:$b: ClientPlugin
    • 0x10156:$b: ClientPlugin
    • 0x10196:$b: ClientPlugin
    • 0x1007b:$c: ProjectData
    • 0x10a82:$d: DESCrypto
    • 0x1844e:$e: KeepAlive
    • 0x1643c:$g: LogClientMessage
    • 0x12637:$i: get_Connected
    • 0x10db8:$j: #=q
    • 0x10de8:$j: #=q
    • 0x10e04:$j: #=q
    • 0x10e34:$j: #=q
    • 0x10e50:$j: #=q
    • 0x10e6c:$j: #=q
    • 0x10e9c:$j: #=q
    • 0x10eb8:$j: #=q
    00000003.00000002.1047366764.0000000006580000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf7ad:$x1: NanoCore.ClientPluginHost
    • 0xf7da:$x2: IClientNetworkHost
    Click to see the 12 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    1.2.TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE.ab0000.1.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe38d:$x1: NanoCore.ClientPluginHost
    • 0xe3ca:$x2: IClientNetworkHost
    • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    1.2.TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE.ab0000.1.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe105:$x1: NanoCore Client.exe
    • 0xe38d:$x2: NanoCore.ClientPluginHost
    • 0xf9c6:$s1: PluginCommand
    • 0xf9ba:$s2: FileCommand
    • 0x1086b:$s3: PipeExists
    • 0x16622:$s4: PipeCreated
    • 0xe3b7:$s5: IClientLoggingHost
    1.2.TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE.ab0000.1.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      1.2.TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE.ab0000.1.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xe0f5:$a: NanoCore
      • 0xe105:$a: NanoCore
      • 0xe339:$a: NanoCore
      • 0xe34d:$a: NanoCore
      • 0xe38d:$a: NanoCore
      • 0xe154:$b: ClientPlugin
      • 0xe356:$b: ClientPlugin
      • 0xe396:$b: ClientPlugin
      • 0xe27b:$c: ProjectData
      • 0xec82:$d: DESCrypto
      • 0x1664e:$e: KeepAlive
      • 0x1463c:$g: LogClientMessage
      • 0x10837:$i: get_Connected
      • 0xefb8:$j: #=q
      • 0xefe8:$j: #=q
      • 0xf004:$j: #=q
      • 0xf034:$j: #=q
      • 0xf050:$j: #=q
      • 0xf06c:$j: #=q
      • 0xf09c:$j: #=q
      • 0xf0b8:$j: #=q
      3.2.MSBuild.exe.6580000.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xf7ad:$x1: NanoCore.ClientPluginHost
      • 0xf7da:$x2: IClientNetworkHost
      Click to see the 15 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 2204, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp731A.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp731A.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE' , ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentProcessId: 2204, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp731A.tmp', ProcessId: 7024

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: MSBuild.exe.2204.3.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["91.193.75.155"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
      Multi AV Scanner detection for submitted fileShow sources
      Source: TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXEMetadefender: Detection: 18%Perma Link
      Source: TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXEReversingLabs: Detection: 59%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.656614146.0000000000AB0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.1047366764.0000000006580000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.1044661467.00000000040D9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.1041355870.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 2204, type: MEMORY
      Source: Yara matchFile source: 1.2.TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE.ab0000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.MSBuild.exe.6580000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE.ab0000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.MSBuild.exe.6580000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
      Machine Learning detection for sampleShow sources
      Source: TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXEJoe Sandbox ML: detected
      Source: 3.2.MSBuild.exe.6580000.4.unpackAvira: Label: TR/NanoCore.fadte
      Source: 3.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

      Compliance:

      barindex
      Uses 32bit PE filesShow sources
      Source: TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXEStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
      Source: TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXEStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Binary contains paths to debug symbolsShow sources
      Source: Binary string: C:\Windows\System.pdbpdbtem.pdb%0 source: MSBuild.exe, 00000003.00000003.941644723.0000000001268000.00000004.00000001.sdmp
      Source: Binary string: \??\C:\Windows\dll\System.pdb source: MSBuild.exe, 00000003.00000003.950346541.000000000126D000.00000004.00000001.sdmp
      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: dhcpmon.exe, dhcpmon.exe.3.dr
      Source: Binary string: wntdll.pdbUGP source: TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE, 00000001.00000003.652861148.000000001BC10000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE, 00000001.00000003.652861148.000000001BC10000.00000004.00000001.sdmp
      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: MSBuild.exe, 00000003.00000003.941644723.0000000001268000.00000004.00000001.sdmp
      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: MSBuild.exe, 00000003.00000003.657703157.0000000001222000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000000.664261186.0000000000C72000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000002.683748941.0000000000012000.00000002.00020000.sdmp, dhcpmon.exe.3.dr
      Source: Binary string: \??\C:\Windows\System.pdb source: MSBuild.exe, 00000003.00000003.950311338.000000000125D000.00000004.00000001.sdmp
      Source: Binary string: System.pdbU! source: MSBuild.exe, 00000003.00000003.941616893.000000000125D000.00000004.00000001.sdmp
      Source: Binary string: System.pdb source: MSBuild.exe, 00000003.00000003.996753411.0000000006976000.00000004.00000001.sdmp

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49737 -> 91.193.75.155:5090
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49738 -> 91.193.75.155:5090
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49741 -> 91.193.75.155:5090
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49743 -> 91.193.75.155:5090
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49744 -> 91.193.75.155:5090
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49752 -> 91.193.75.155:5090
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49758 -> 91.193.75.155:5090
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49762 -> 91.193.75.155:5090
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49768 -> 91.193.75.155:5090
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49769 -> 91.193.75.155:5090
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49770 -> 91.193.75.155:5090
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49771 -> 91.193.75.155:5090
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49772 -> 91.193.75.155:5090
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49775 -> 91.193.75.155:5090
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49776 -> 91.193.75.155:5090
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49777 -> 91.193.75.155:5090
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49778 -> 91.193.75.155:5090
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49779 -> 91.193.75.155:5090
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49780 -> 91.193.75.155:5090
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49781 -> 91.193.75.155:5090
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49782 -> 91.193.75.155:5090
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49783 -> 91.193.75.155:5090
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49784 -> 91.193.75.155:5090
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49785 -> 91.193.75.155:5090
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49786 -> 91.193.75.155:5090
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49787 -> 91.193.75.155:5090
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorIPs: 91.193.75.155
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: mimi121.duckdns.org
      Source: global trafficTCP traffic: 192.168.2.4:49737 -> 91.193.75.155:5090
      Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
      Source: unknownDNS traffic detected: queries for: mimi121.duckdns.org
      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
      Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49681
      Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
      Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
      Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
      Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
      Source: unknownNetwork traffic detected: HTTP traffic on port 49681 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
      Source: MSBuild.exe, 00000003.00000002.1047366764.0000000006580000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.656614146.0000000000AB0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.1047366764.0000000006580000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.1044661467.00000000040D9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.1041355870.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 2204, type: MEMORY
      Source: Yara matchFile source: 1.2.TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE.ab0000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.MSBuild.exe.6580000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE.ab0000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.MSBuild.exe.6580000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000001.00000002.656614146.0000000000AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.656614146.0000000000AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.1047366764.0000000006580000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.1044661467.00000000040D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.1047272619.00000000064F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.1041355870.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.1041355870.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: MSBuild.exe PID: 2204, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: MSBuild.exe PID: 2204, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE.ab0000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE.ab0000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.MSBuild.exe.6580000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE.ab0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE.ab0000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.MSBuild.exe.64f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.MSBuild.exe.6580000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: 1_2_00A558CB
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: 1_2_00A65810
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: 1_2_00A64ACF
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: 1_2_00A653DB
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: 1_2_00A65C45
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: 1_2_00A64FC3
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: 1_2_00A58F0B
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0541E471
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0541E480
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0541BBD4
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_06A70040
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_006C5CF9
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_006C18C0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_006C2148
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_006C4A20
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_006C2133
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02E35858
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02E34580
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02E32148
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02E31A40
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02E32133
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: String function: 00A54E1D appears 36 times
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: String function: 00A554B0 appears 58 times
      Source: TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXEStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: dhcpmon.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: dhcpmon.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: dhcpmon.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE, 00000001.00000003.653347801.000000001BEBF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE
      Source: TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXEStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 00000001.00000002.656614146.0000000000AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.656614146.0000000000AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.656614146.0000000000AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.1047366764.0000000006580000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.1047366764.0000000006580000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000003.00000002.1044661467.00000000040D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.1047272619.00000000064F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.1047272619.00000000064F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000003.00000002.1041355870.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.1041355870.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: MSBuild.exe PID: 2204, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: MSBuild.exe PID: 2204, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE.ab0000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE.ab0000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE.ab0000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.MSBuild.exe.6580000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.MSBuild.exe.6580000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE.ab0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE.ab0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE.ab0000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.MSBuild.exe.64f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.MSBuild.exe.64f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.MSBuild.exe.6580000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.MSBuild.exe.6580000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 3.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 3.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: dhcpmon.exe.3.dr, Microsoft.Build/CommandLine/OutOfProcTaskHostNode.csTask registration methods: 'RegisterTaskObject', 'UnregisterPacketHandler', 'RegisterPacketHandler', 'UnregisterTaskObject', 'GetRegisteredTaskObject'
      Source: dhcpmon.exe.3.dr, Microsoft.Build/BackEnd/TaskParameter.csTask registration methods: 'CreateNewTaskItemFrom'
      Source: dhcpmon.exe.3.dr, Microsoft.Build/Shared/RegisteredTaskObjectCacheBase.csTask registration methods: '.cctor', 'GetLazyCollectionForLifetime', 'RegisterTaskObject', 'DisposeObjects', 'IsCollectionEmptyOrUncreated', '.ctor', 'UnregisterTaskObject', 'DisposeCacheObjects', 'GetRegisteredTaskObject', 'GetCollectionForLifetime'
      Source: 15.2.dhcpmon.exe.10000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 15.2.dhcpmon.exe.10000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: dhcpmon.exe.3.dr, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: dhcpmon.exe.3.dr, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: dhcpmon.exe.3.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: dhcpmon.exe.3.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
      Source: dhcpmon.exe.3.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
      Source: 12.0.dhcpmon.exe.c70000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 12.0.dhcpmon.exe.c70000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
      Source: 12.0.dhcpmon.exe.c70000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
      Source: 3.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 3.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 12.2.dhcpmon.exe.c70000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 12.2.dhcpmon.exe.c70000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 12.0.dhcpmon.exe.c70000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 12.0.dhcpmon.exe.c70000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 15.0.dhcpmon.exe.10000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 15.0.dhcpmon.exe.10000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
      Source: 15.0.dhcpmon.exe.10000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
      Source: 15.2.dhcpmon.exe.10000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 15.2.dhcpmon.exe.10000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
      Source: 15.2.dhcpmon.exe.10000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
      Source: 12.2.dhcpmon.exe.c70000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 12.2.dhcpmon.exe.c70000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
      Source: 12.2.dhcpmon.exe.c70000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
      Source: 15.0.dhcpmon.exe.10000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 15.0.dhcpmon.exe.10000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: MSBuild.exe, 00000003.00000003.657703157.0000000001222000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000000.664261186.0000000000C72000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000002.683748941.0000000000012000.00000002.00020000.sdmp, dhcpmon.exe.3.drBinary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
      Source: MSBuild.exe, 00000003.00000003.657703157.0000000001222000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000000.664261186.0000000000C72000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000002.683748941.0000000000012000.00000002.00020000.sdmp, dhcpmon.exe.3.drBinary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
      Source: dhcpmon.exe, dhcpmon.exe.3.drBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
      Source: dhcpmon.exe, 0000000F.00000002.684375210.0000000002381000.00000004.00000001.sdmpBinary or memory string: *.slnP#"l
      Source: MSBuild.exe, 00000003.00000003.657703157.0000000001222000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000000.664261186.0000000000C72000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000002.683748941.0000000000012000.00000002.00020000.sdmp, dhcpmon.exe.3.drBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD
      Source: dhcpmon.exe, 0000000F.00000002.684375210.0000000002381000.00000004.00000001.sdmpBinary or memory string: l)C:\Program Files (x86)\DHCP Monitor\*.sln
      Source: dhcpmon.exe, dhcpmon.exe.3.drBinary or memory string: *.sln
      Source: MSBuild.exe, 00000003.00000003.657703157.0000000001222000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000000.664261186.0000000000C72000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000002.683748941.0000000000012000.00000002.00020000.sdmp, dhcpmon.exe.3.drBinary or memory string: MSBuild MyApp.csproj /t:Clean
      Source: MSBuild.exe, 00000003.00000003.657703157.0000000001222000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000000.664261186.0000000000C72000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000002.683748941.0000000000012000.00000002.00020000.sdmp, dhcpmon.exe.3.drBinary or memory string: /ignoreprojectextensions:.sln
      Source: MSBuild.exe, 00000003.00000003.657703157.0000000001222000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000000.664261186.0000000000C72000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000002.683748941.0000000000012000.00000002.00020000.sdmp, dhcpmon.exe.3.drBinary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.
      Source: classification engineClassification label: mal100.troj.evad.winEXE@16/11@26/2
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5724:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6708:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_01
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{c536defd-5b4b-4102-b411-7da22a027e3a}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6080:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6796:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1372:120:WilError_01
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\AppData\Local\Temp\tmp731A.tmpJump to behavior
      Source: TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXEStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXEMetadefender: Detection: 18%
      Source: TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXEReversingLabs: Detection: 59%
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXEFile read: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXEJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE 'C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp731A.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp7609.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 0
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXEProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE'
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp731A.tmp'
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp7609.tmp'
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXEStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Windows\System.pdbpdbtem.pdb%0 source: MSBuild.exe, 00000003.00000003.941644723.0000000001268000.00000004.00000001.sdmp
      Source: Binary string: \??\C:\Windows\dll\System.pdb source: MSBuild.exe, 00000003.00000003.950346541.000000000126D000.00000004.00000001.sdmp
      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: dhcpmon.exe, dhcpmon.exe.3.dr
      Source: Binary string: wntdll.pdbUGP source: TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE, 00000001.00000003.652861148.000000001BC10000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE, 00000001.00000003.652861148.000000001BC10000.00000004.00000001.sdmp
      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: MSBuild.exe, 00000003.00000003.941644723.0000000001268000.00000004.00000001.sdmp
      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: MSBuild.exe, 00000003.00000003.657703157.0000000001222000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000000.664261186.0000000000C72000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000002.683748941.0000000000012000.00000002.00020000.sdmp, dhcpmon.exe.3.dr
      Source: Binary string: \??\C:\Windows\System.pdb source: MSBuild.exe, 00000003.00000003.950311338.000000000125D000.00000004.00000001.sdmp
      Source: Binary string: System.pdbU! source: MSBuild.exe, 00000003.00000003.941616893.000000000125D000.00000004.00000001.sdmp
      Source: Binary string: System.pdb source: MSBuild.exe, 00000003.00000003.996753411.0000000006976000.00000004.00000001.sdmp
      Source: TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXEStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXEStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXEStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXEStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXEStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 3.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 3.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: 1_2_00A5EAF3 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: 1_2_00A554F5 push ecx; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_02E35578 push FFFFFF8Bh; iretd
      Source: 3.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 3.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXEFile created: \tnt shipment awb_image ci_from tnt awb# 167095453_pdf_________.exe
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp731A.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe:Zone.Identifier read attributes | delete
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 3615
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 5800
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: foregroundWindowGot 488
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: foregroundWindowGot 1403
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6888Thread sleep time: -15679732462653109s >= -30000s
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4612Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 3120Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1172Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: MSBuild.exe, 00000003.00000002.1047891246.00000000070C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: MSBuild.exe, 00000003.00000002.1047891246.00000000070C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: MSBuild.exe, 00000003.00000002.1047891246.00000000070C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: MSBuild.exe, 00000003.00000003.936447868.0000000001230000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: MSBuild.exe, 00000003.00000002.1047891246.00000000070C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: 1_2_00A5EAF3 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: 1_2_00A5EAF3 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: 1_2_00A5EAF3 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: 1_2_00A51E50 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: 1_2_008FEAC5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: 1_2_008FF3D4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: 1_2_008FF334 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: 1_2_008FF371 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: 1_2_008FF519 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: 1_2_00A51FD0 GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapAlloc,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: 1_2_00A54BE6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: 1_2_00A54BC3 SetUnhandledExceptionFilter,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      .NET source code references suspicious native API functionsShow sources
      Source: dhcpmon.exe.3.dr, Microsoft.Build/Shared/NativeMethodsShared.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('OpenProcess', 'OpenProcess@KERNEL32.DLL'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
      Source: 3.2.MSBuild.exe.400000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.csReference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
      Source: 12.0.dhcpmon.exe.c70000.0.unpack, Microsoft.Build/Shared/NativeMethodsShared.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('OpenProcess', 'OpenProcess@KERNEL32.DLL'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
      Source: 12.2.dhcpmon.exe.c70000.0.unpack, Microsoft.Build/Shared/NativeMethodsShared.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('OpenProcess', 'OpenProcess@KERNEL32.DLL'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
      Source: 15.0.dhcpmon.exe.10000.0.unpack, Microsoft.Build/Shared/NativeMethodsShared.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('OpenProcess', 'OpenProcess@KERNEL32.DLL'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
      Source: 15.2.dhcpmon.exe.10000.0.unpack, Microsoft.Build/Shared/NativeMethodsShared.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('OpenProcess', 'OpenProcess@KERNEL32.DLL'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXESection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: execute and read and write
      Writes to foreign memory regionsShow sources
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXEMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: DA2008
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXEProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE'
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp731A.tmp'
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp7609.tmp'
      Source: MSBuild.exe, 00000003.00000002.1042604643.00000000030E8000.00000004.00000001.sdmpBinary or memory string: Program ManagerD$\k
      Source: MSBuild.exe, 00000003.00000002.1047063541.000000000616D000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: MSBuild.exe, 00000003.00000002.1042222236.00000000018C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: MSBuild.exe, 00000003.00000002.1042222236.00000000018C0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: MSBuild.exe, 00000003.00000002.1044112934.000000000355D000.00000004.00000001.sdmpBinary or memory string: Program ManagerX
      Source: MSBuild.exe, 00000003.00000002.1043649373.00000000034A0000.00000004.00000001.sdmpBinary or memory string: Program Managerx
      Source: MSBuild.exe, 00000003.00000002.1042222236.00000000018C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: MSBuild.exe, 00000003.00000002.1043649373.00000000034A0000.00000004.00000001.sdmpBinary or memory string: Program ManagerHa\k
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: 1_2_00A5BFC2 cpuid
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: GetLocaleInfoEx,__wcsnicmp,_TestDefaultCountry,_TestDefaultCountry,
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeW,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: EnumSystemLocalesEx,
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: GetLocaleInfoEx,
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation
      Source: C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXECode function: 1_2_00A5C9C7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,QueryPerformanceCounter,
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.656614146.0000000000AB0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.1047366764.0000000006580000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.1044661467.00000000040D9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.1041355870.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 2204, type: MEMORY
      Source: Yara matchFile source: 1.2.TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE.ab0000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.MSBuild.exe.6580000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE.ab0000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.MSBuild.exe.6580000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: MSBuild.exe, 00000003.00000002.1047366764.0000000006580000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: MSBuild.exe, 00000003.00000002.1044661467.00000000040D9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.656614146.0000000000AB0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.1047366764.0000000006580000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.1044661467.00000000040D9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.1041355870.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 2204, type: MEMORY
      Source: Yara matchFile source: 1.2.TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE.ab0000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.MSBuild.exe.6580000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE.ab0000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.MSBuild.exe.6580000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsScheduled Task/Job11Scheduled Task/Job11Process Injection212Masquerading2Input Capture11System Time Discovery1Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsNative API11Boot or Logon Initialization ScriptsScheduled Task/Job11Virtualization/Sandbox Evasion2LSASS MemorySecurity Software Discovery31Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection212NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information11LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol22Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery33VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing11Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 343026 Sample: TNT SHIPMENT  AWB_IMAGE CI_... Startdate: 22/01/2021 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 12 other signatures 2->54 8 TNT SHIPMENT  AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE 1 2->8         started        11 dhcpmon.exe 4 2->11         started        13 dhcpmon.exe 3 2->13         started        15 MSBuild.exe 2 2->15         started        process3 signatures4 58 Writes to foreign memory regions 8->58 60 Maps a DLL or memory area into another process 8->60 17 MSBuild.exe 1 12 8->17         started        22 conhost.exe 8->22         started        24 conhost.exe 11->24         started        26 conhost.exe 13->26         started        28 conhost.exe 15->28         started        process5 dnsIp6 44 mimi121.duckdns.org 91.193.75.155, 49737, 49738, 49741 DAVID_CRAIGGG Serbia 17->44 46 192.168.2.1 unknown unknown 17->46 38 C:\Users\user\AppData\Roaming\...\run.dat, data 17->38 dropped 40 C:\Users\user\AppData\Local\...\tmp731A.tmp, XML 17->40 dropped 42 C:\Program Files (x86)\...\dhcpmon.exe, PE32 17->42 dropped 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->56 30 schtasks.exe 1 17->30         started        32 schtasks.exe 1 17->32         started        file7 signatures8 process9 process10 34 conhost.exe 30->34         started        36 conhost.exe 32->36         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE24%MetadefenderBrowse
      TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE59%ReversingLabsWin32.Spyware.Noon
      TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      1.2.TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE.e30000.2.unpack100%AviraHEUR/AGEN.1110392Download File
      3.2.MSBuild.exe.6580000.4.unpack100%AviraTR/NanoCore.fadteDownload File
      3.2.MSBuild.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      mimi121.duckdns.org
      		91.193.75.155
      		truetrue
        		unknown

        Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public

        IPDomainCountryFlagASNASN NameMalicious
        91.193.75.155
        		unknownSerbia
        		209623DAVID_CRAIGGGtrue

        Private

        IP
        192.168.2.1

        General Information

        Joe Sandbox Version:31.0.0 Red Diamond
        Analysis ID:343026
        Start date:22.01.2021
        Start time:07:29:39
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 9m 53s
        Hypervisor based Inspection enabled:false
        Report type:light
        Sample file name:TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:32
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@16/11@26/2
        EGA Information:Failed
        HDC Information:
        • Successful, ratio: 57.2% (good quality ratio 52.8%)
        • Quality average: 81.9%
        • Quality standard deviation: 30.4%
        HCA Information:
        • Successful, ratio: 96%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        • Found application associated with file extension: .EXE
        Warnings:
        Show All
        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
        • TCP Packets have been reduced to 100
        • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
        • Excluded IPs from analysis (whitelisted): 104.43.139.144, 104.43.193.48, 51.11.168.160, 92.122.213.194, 92.122.213.247, 52.155.217.156, 20.54.26.129, 2.20.142.209, 2.20.142.210
        • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net
        • Report size exceeded maximum capacity and may have missing behavior information.
        • VT rate limit hit for: /opt/package/joesandbox/database/analysis/343026/sample/TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE

        Simulations

        Behavior and APIs

        TimeTypeDescription
        07:30:33AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        07:30:34Task SchedulerRun new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" s>$(Arg0)
        07:30:34Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
        07:30:34API Interceptor1546x Sleep call for process: MSBuild.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        91.193.75.155file.exeGet hashmaliciousBrowse
          Enquiry No ANS700_Pdf___.exeGet hashmaliciousBrowse
            Enquiry No ANS700_Pdf___.exeGet hashmaliciousBrowse

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              mimi121.duckdns.orgfile.exeGet hashmaliciousBrowse
              • 91.193.75.155
              Enquiry No ANS700_Pdf___.exeGet hashmaliciousBrowse
              • 91.193.75.155
              Enquiry No ANS700_Pdf___.exeGet hashmaliciousBrowse
              • 91.193.75.155

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              DAVID_CRAIGGG9A87wdxsuh.exeGet hashmaliciousBrowse
              • 91.193.75.204
              PROOF OF PAYMENT.exeGet hashmaliciousBrowse
              • 185.140.53.131
              SecuriteInfo.com.Artemis1A5E2411DEA6.exeGet hashmaliciousBrowse
              • 91.193.75.204
              Payment Invoice PDF.exeGet hashmaliciousBrowse
              • 185.244.30.18
              New Doc 20211401#_our new price.exeGet hashmaliciousBrowse
              • 91.193.75.243
              company profile.exeGet hashmaliciousBrowse
              • 185.140.53.227
              NEWORDERrefno0992883jpg.exeGet hashmaliciousBrowse
              • 185.140.53.253
              richiealvin.exeGet hashmaliciousBrowse
              • 91.193.75.185
              Quotation.exeGet hashmaliciousBrowse
              • 185.140.53.154
              DHL Delivery Shipping Cargo. Pdf.exeGet hashmaliciousBrowse
              • 185.244.30.18
              CompanyLicense.exeGet hashmaliciousBrowse
              • 185.140.53.253
              Purchase Order 2094742424.exeGet hashmaliciousBrowse
              • 185.244.30.132
              PURCHASE OREDER. PRINT. pdf.exeGet hashmaliciousBrowse
              • 91.193.75.45
              PO.exeGet hashmaliciousBrowse
              • 185.140.53.234
              SWIFT.exeGet hashmaliciousBrowse
              • 185.140.53.154
              SecuriteInfo.com.BScope.Trojan-Dropper.Injector.exeGet hashmaliciousBrowse
              • 185.140.53.234
              PROOF OF PAYMENT.exeGet hashmaliciousBrowse
              • 185.140.53.131
              Orden n.#U00ba STL21119, pdf.exeGet hashmaliciousBrowse
              • 185.140.53.129
              Proof of Payment.exeGet hashmaliciousBrowse
              • 185.244.30.51
              DxCHoDnNLn.exeGet hashmaliciousBrowse
              • 185.140.53.202

              JA3 Fingerprints

              No context

              Dropped Files

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNew Order_PO#060317_007_Pdf________________________________________.exeGet hashmaliciousBrowse
                file.exeGet hashmaliciousBrowse
                  jCLiY7TCmD.exeGet hashmaliciousBrowse
                    WkyJ4e1mGH.exeGet hashmaliciousBrowse
                      Enquiry No ANS700_Pdf___.exeGet hashmaliciousBrowse
                        Enquiry No ANS700_Pdf___.exeGet hashmaliciousBrowse
                          P.I - AE-SA-10016 - SIG SHARBTLY INTERNATIONAL GROUP.exeGet hashmaliciousBrowse
                            Purchase Order 40,7045.exeGet hashmaliciousBrowse
                              PAYMENT ADVICE.exeGet hashmaliciousBrowse
                                Swift Copy.exeGet hashmaliciousBrowse
                                  Quotation Request-RFQ#2020-11-19.exeGet hashmaliciousBrowse
                                    Api Details.exeGet hashmaliciousBrowse
                                      BALANCE PAYMENT.exeGet hashmaliciousBrowse
                                        5dj4XCE86M.exeGet hashmaliciousBrowse
                                          z865yM9Ehy.exeGet hashmaliciousBrowse
                                            EXPORT SHIPMENT CERTIFIED 2.exeGet hashmaliciousBrowse
                                              4IZjnTicql.exeGet hashmaliciousBrowse
                                                K1Rul7dwGf.exeGet hashmaliciousBrowse
                                                  14RP4w9CuA.exeGet hashmaliciousBrowse
                                                    Bx757nPqML.exeGet hashmaliciousBrowse

                                                      Created / dropped Files

                                                      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):261728
                                                      Entropy (8bit):6.1750840449797675
                                                      Encrypted:false
                                                      SSDEEP:3072:Mao0QHGUQWWimj9q/NLpj/WWqvAw2XpFU4rwOe4ubZSif02RFi/x2uv9FeP:boZTTWxxqVpqWVRXfr802biprVu
                                                      MD5:D621FD77BD585874F9686D3A76462EF1
                                                      SHA1:ABCAE05EE61EE6292003AABD8C80583FA49EDDA2
                                                      SHA-256:2CA7CF7146FB8209CF3C6CECB1C5AA154C61E046DC07AFA05E8158F2C0DDE2F6
                                                      SHA-512:2D85A81D708ECC8AF9A1273143C94DA84E632F1E595E22F54B867225105A1D0A44F918F0FAE6F1EB15ECF69D75B6F4616699776A16A2AA8B5282100FD15CA74C
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Joe Sandbox View:
                                                      • Filename: New Order_PO#060317_007_Pdf________________________________________.exe, Detection: malicious, Browse
                                                      • Filename: file.exe, Detection: malicious, Browse
                                                      • Filename: jCLiY7TCmD.exe, Detection: malicious, Browse
                                                      • Filename: WkyJ4e1mGH.exe, Detection: malicious, Browse
                                                      • Filename: Enquiry No ANS700_Pdf___.exe, Detection: malicious, Browse
                                                      • Filename: Enquiry No ANS700_Pdf___.exe, Detection: malicious, Browse
                                                      • Filename: P.I - AE-SA-10016 - SIG SHARBTLY INTERNATIONAL GROUP.exe, Detection: malicious, Browse
                                                      • Filename: Purchase Order 40,7045.exe, Detection: malicious, Browse
                                                      • Filename: PAYMENT ADVICE.exe, Detection: malicious, Browse
                                                      • Filename: Swift Copy.exe, Detection: malicious, Browse
                                                      • Filename: Quotation Request-RFQ#2020-11-19.exe, Detection: malicious, Browse
                                                      • Filename: Api Details.exe, Detection: malicious, Browse
                                                      • Filename: BALANCE PAYMENT.exe, Detection: malicious, Browse
                                                      • Filename: 5dj4XCE86M.exe, Detection: malicious, Browse
                                                      • Filename: z865yM9Ehy.exe, Detection: malicious, Browse
                                                      • Filename: EXPORT SHIPMENT CERTIFIED 2.exe, Detection: malicious, Browse
                                                      • Filename: 4IZjnTicql.exe, Detection: malicious, Browse
                                                      • Filename: K1Rul7dwGf.exe, Detection: malicious, Browse
                                                      • Filename: 14RP4w9CuA.exe, Detection: malicious, Browse
                                                      • Filename: Bx757nPqML.exe, Detection: malicious, Browse
                                                      Reputation:moderate, very likely benign file
                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z.........."...0..|...B......n.... ........@.. ....................................`.....................................O........>..............`>.......................................................... ............... ..H............text....z... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B................P.......H.......8)...................|.........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....
                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log
                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:modified
                                                      Size (bytes):841
                                                      Entropy (8bit):5.356220854328477
                                                      Encrypted:false
                                                      SSDEEP:24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoIvEE4xDqE4j:MxHKXwYHKhQnoPtHoxHwvEHxDqHj
                                                      MD5:486580834B084C92AE1F3866166C9C34
                                                      SHA1:C8EB7E1CEF55A6C9EB931487E9AA4A2098AACEDF
                                                      SHA-256:65C5B1213E371D449E2A239557A5F250FEA1D3473A1B5C4C5FF7492085F663FB
                                                      SHA-512:2C54B638A52AA87F47CAB50859EFF98F07DA02993A596686B5617BA99E73ABFCD104F0F33209E24AFB32E66B4B8A225D4DB2CC79631540C21E7E8C4573DFD457
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..2,"Microsoft.Build.Framework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                                      Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:modified
                                                      Size (bytes):1037
                                                      Entropy (8bit):5.371216502395632
                                                      Encrypted:false
                                                      SSDEEP:24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7KvEE4xDqE4j:MxHKXwYHKhQnoPtHoxHhAHKzvKvEHxD0
                                                      MD5:C7F28B87C2CAD111D929CB9A0FF822F8
                                                      SHA1:C2CF9E7A3F6EFD9000FE76EBE54E4E9AE5754267
                                                      SHA-256:D1B02C20EACF464229AB063FA947A525E2ED7772259A8F70C7205DC13599EAE6
                                                      SHA-512:E0F35874E02AB672CFF0553A0DA0864DAB14C05733D06395E4D0C9CDFC6F445E940310F8D01E3E1B28895F636DFBC1F510E103D1C46818400BA4E7371D8F254D
                                                      Malicious:false
                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.Build.Framework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build, Version=4.0.0.0, Culture=neutral,
                                                      C:\Users\user\AppData\Local\Temp\tmp731A.tmp
                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1320
                                                      Entropy (8bit):5.137611098420233
                                                      Encrypted:false
                                                      SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0moxtn:cbk4oL600QydbQxIYODOLedq3Zoj
                                                      MD5:3E2B26ED8B75AE83A269595180E84EF6
                                                      SHA1:D30A0335FCCE406BCA8BA5764288235E6192F608
                                                      SHA-256:108BE30AEB8EB31C185A39A6726F26DACBC4E4124951C61A29ADE4B7038C71EA
                                                      SHA-512:B6981C68FCB886CC8379A068B96931B9D4F5CC5AA9BDC467E36C4168FE6C5273A2A84D8850B12C11703EC03AC6B1F1950D1E669EFCB59FC2402CE4BBA9DC03D3
                                                      Malicious:true
                                                      Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                      C:\Users\user\AppData\Local\Temp\tmp7609.tmp
                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1310
                                                      Entropy (8bit):5.109425792877704
                                                      Encrypted:false
                                                      SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                      MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                      SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                      SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                      SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                      Malicious:false
                                                      Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):1624
                                                      Entropy (8bit):7.024371743172393
                                                      Encrypted:false
                                                      SSDEEP:48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw8:flC0IlC0IlC0IlC0IlC0IlC0IlC08
                                                      MD5:0D79388CEC6619D612C2088173BB6741
                                                      SHA1:8A312E3198009C545D0CF3254572189D29A03EA7
                                                      SHA-256:D7D423B23D932E306F3CCB2F7A984B7036A042C007A43FD655C6B57B960BB8DF
                                                      SHA-512:53BB3E9263DFD746E7E8159466E220E6EC9D81E9D3F0E1D191E09CD511B7EB93B0BA65D13CE0C97C652ECD0F69BB991E6B1840F961BC65003C4DD7AA93EEDA13
                                                      Malicious:false
                                                      Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):8
                                                      Entropy (8bit):3.0
                                                      Encrypted:false
                                                      SSDEEP:3:6VQ:6e
                                                      MD5:80AF87D7D4711FE01B9BD93DEA99B562
                                                      SHA1:85CA7BA9B80AEB0AF92FD9B3B394B1D86FE4C76C
                                                      SHA-256:BD368AEEC8818B4106F481C92B7D242B079FAA718AD109E6D8779F613D1AB6FB
                                                      SHA-512:5C55593F43C186EF0992AB60935877EA13EFD11310B98915414E50E2A5955B6ADEE4A79940C46C5CE838D2592BD1524728FB071C062A20BAA3208D8B479E6501
                                                      Malicious:true
                                                      Preview: ...8...H
                                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):57
                                                      Entropy (8bit):4.887726803973036
                                                      Encrypted:false
                                                      SSDEEP:3:oMty8WddSJ8:oMLW6C
                                                      MD5:6ECAFC0490DAB08E4A288E0042B6B613
                                                      SHA1:4A4529907588505FC65CC9933980CFE6E576B3D6
                                                      SHA-256:DC5F76FBF44B3E6CDDC14EA9E5BB9B6BD3A955197FE13F33F7DDA7ECC08E79E0
                                                      SHA-512:7DA2B02627A36C8199814C250A1FBD61A9C18E098F8D691C11D75044E7F51DBD52C31EC2E1EA8CDEE5077ADCCB8CD247266F191292DB661FE7EA1B613FC646F8
                                                      Malicious:false
                                                      Preview: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                      \Device\ConDrv
                                                      Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):298
                                                      Entropy (8bit):4.943030742860529
                                                      Encrypted:false
                                                      SSDEEP:6:zx3M1tFAbQtU1R30qyMstwYVoRRZBXVN+J0fFdCsq2UTiMdH8stCal+n:zK13I30ZMt9BFN+QdCT2UftCM+
                                                      MD5:6A9888952541A41F033EB114C24DC902
                                                      SHA1:41903D7C8F31013C44572E09D97B9AAFBBCE77E6
                                                      SHA-256:41A61D0084CD7884BEA1DF02ED9213CB8C83F4034F5C8156FC5B06D6A3E133CE
                                                      SHA-512:E6AC898E67B4052375FDDFE9894B26D504A7827917BF3E02772CFF45C3FA7CC5E0EFFDC701D208E0DB89F05E42F195B1EC890F316BEE5CB8239AB45444DAA65E
                                                      Malicious:false
                                                      Preview: Microsoft (R) Build Engine version 4.7.3056.0..[Microsoft .NET Framework, version 4.0.30319.42000]..Copyright (C) Microsoft Corporation. All rights reserved.....MSBUILD : error MSB1003: Specify a project or solution file. The current working directory does not contain a project or solution file...

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (console) Intel 80386, for MS Windows
                                                      Entropy (8bit):6.925960933213739
                                                      TrID:
                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                      • DOS Executable Generic (2002/1) 0.02%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE
                                                      File size:542720
                                                      MD5:d40d97b41a353bc42b0e7ebe451886d9
                                                      SHA1:8e416c76489782a32eade1b03bcd26dce3f19a82
                                                      SHA256:23b46a12d6b6a703b8e588d24f3c0018cf749556b021b514b963587e7adaa25b
                                                      SHA512:85d6c292351f8ff836337c9ace1c38e3f65cb15268d160c9f5e5f8f52ee7284834fa1c4a022bc58204664cf35ea348b802ff01d3f0d2b64b56b6bd4eb963c65d
                                                      SSDEEP:6144:qJa6HhHoWXBuRPh6DnN+2gUFKLpGbNLpvlKK01gBxF8uUzeSg2ZDqnB8lRBYc:YlZYRsLN4cKLpGbNTjDF8u8JvKBkTj
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......JH.*.).y.).y.).y..qy.).y..yy/).y..{y.).y..xy.).y.).yr).y.^.y.).y).xy.).y)..y.).y).zy.).yRich.).y................PE..L...tt.`...

                                                      File Icon

                                                      Icon Hash:70cccecececcec30

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x404ad0
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows cui
                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                      DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                      Time Stamp:0x60097474 [Thu Jan 21 12:32:52 2021 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:6
                                                      OS Version Minor:0
                                                      File Version Major:6
                                                      File Version Minor:0
                                                      Subsystem Version Major:6
                                                      Subsystem Version Minor:0
                                                      Import Hash:50cdb1b392e09bc322ca35e8f4935cd6

                                                      Entrypoint Preview

                                                      Instruction
                                                      call 00007FF2448D2107h
                                                      jmp 00007FF2448CA056h
                                                      and dword ptr [00420D24h], 00000000h
                                                      ret
                                                      push ebp
                                                      mov ebp, esp
                                                      push ecx
                                                      and dword ptr [ebp-04h], 00000000h
                                                      push 0041A29Ch
                                                      push 0041A2B0h
                                                      call dword ptr [0041A100h]
                                                      push eax
                                                      call dword ptr [0041A0D4h]
                                                      test eax, eax
                                                      je 00007FF2448CA224h
                                                      push 00000000h
                                                      lea ecx, dword ptr [ebp-04h]
                                                      push ecx
                                                      call eax
                                                      cmp eax, 7Ah
                                                      jne 00007FF2448CA217h
                                                      xor eax, eax
                                                      inc eax
                                                      leave
                                                      ret
                                                      xor eax, eax
                                                      leave
                                                      ret
                                                      push ebp
                                                      mov ebp, esp
                                                      push dword ptr [ebp+08h]
                                                      call dword ptr [0041A0E4h]
                                                      pop ebp
                                                      ret
                                                      push ebp
                                                      mov ebp, esp
                                                      push dword ptr [ebp+08h]
                                                      call dword ptr [0041A0F0h]
                                                      pop ebp
                                                      ret
                                                      push ebp
                                                      mov ebp, esp
                                                      push dword ptr [ebp+08h]
                                                      call dword ptr [0041A0E8h]
                                                      pop ebp
                                                      ret
                                                      push ebp
                                                      mov ebp, esp
                                                      push dword ptr [ebp+0Ch]
                                                      push dword ptr [ebp+08h]
                                                      call dword ptr [0041A0ECh]
                                                      pop ebp
                                                      ret
                                                      push ebp
                                                      mov ebp, esp
                                                      sub esp, 44h
                                                      lea eax, dword ptr [ebp-44h]
                                                      push eax
                                                      call dword ptr [0041A0FCh]
                                                      test byte ptr [ebp-18h], 00000001h
                                                      je 00007FF2448CA218h
                                                      movzx eax, word ptr [ebp-14h]
                                                      leave
                                                      ret
                                                      push 0000000Ah
                                                      pop eax
                                                      leave
                                                      ret
                                                      push ebp
                                                      mov ebp, esp
                                                      push ecx
                                                      push esi
                                                      mov esi, dword ptr [0041F368h]
                                                      test esi, esi
                                                      jns 00007FF2448CA245h
                                                      push 0041A29Ch
                                                      xor esi, esi
                                                      push 0041A2B0h
                                                      mov dword ptr [ebp-04h], esi
                                                      call dword ptr [00000000h]

                                                      Rich Headers

                                                      Programming Language:
                                                      • [LNK] VS2012 build 50727
                                                      • [RES] VS2012 build 50727
                                                      • [ C ] VS2012 build 50727

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1d5640xb4.rdata
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000x327d8.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x550000xfdc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1cd180x40.rdata
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x1a0000x210.rdata
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000x189940x18a00False0.526233343909data6.49084256108IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                      .rdata0x1a0000x418e0x4200False0.352095170455data4.70513234879IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .data0x1f0000x2d600x1000False0.206787109375data2.47644845022IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x220000x327d80x32800False0.384548073948data5.23228179627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x550000x123c0x1400False0.6751953125data5.88808398568IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_ICON0x222800x8f02PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedChineseTaiwan
                                                      RT_ICON0x2b1880x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0ChineseTaiwan
                                                      RT_ICON0x3b9b00x94a8dataChineseTaiwan
                                                      RT_ICON0x44e580x5488dataChineseTaiwan
                                                      RT_ICON0x4a2e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 15794175, next used block 4294909696ChineseTaiwan
                                                      RT_ICON0x4e5080x25a8dataChineseTaiwan
                                                      RT_ICON0x50ab00x10a8dataChineseTaiwan
                                                      RT_ICON0x51b580x988dataChineseTaiwan
                                                      RT_ICON0x524e00x468GLS_BINARY_LSB_FIRSTChineseTaiwan
                                                      RT_RCDATA0x529d00x1e05dataChineseTaiwan
                                                      RT_GROUP_ICON0x529480x84dataChineseTaiwan

                                                      Imports

                                                      DLLImport
                                                      KERNEL32.dllGetDiskFreeSpaceExA, ReleaseSemaphore, SearchPathW, GlobalGetAtomNameW, GetTickCount, TerminateJobObject, GetProcessHeap, LoadLibraryA, GetConsoleWindow, ReadConsoleInputA, PeekConsoleInputA, HeapAlloc, MoveFileExA, GetNumberOfConsoleInputEvents, SetEndOfFile, SetEnvironmentVariableA, CreateFileW, GetFileAttributesExW, CreateProcessA, GetExitCodeProcess, WaitForSingleObject, GetStringTypeW, EnumSystemLocalesEx, IsValidLocaleName, LCMapStringEx, GetUserDefaultLocaleName, GetLocaleInfoEx, CompareStringEx, GetDateFormatEx, GetTimeFormatEx, HeapSize, LoadLibraryW, OutputDebugStringW, WriteConsoleW, SetFilePointerEx, SetStdHandle, HeapReAlloc, FreeEnvironmentStringsW, GetEnvironmentStringsW, IsDebuggerPresent, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, GetLastError, AreFileApisANSI, MultiByteToWideChar, EncodePointer, DecodePointer, InterlockedDecrement, ExitProcess, GetModuleHandleExW, GetProcAddress, GetCommandLineA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, GetCurrentProcess, TerminateProcess, GetStartupInfoW, GetModuleHandleW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, FatalAppExitA, HeapFree, Sleep, CloseHandle, FlushFileBuffers, GetStdHandle, WriteFile, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, GetFileType, InitOnceExecuteOnce, RtlUnwind, ReadFile, ReadConsoleW, SetFilePointer, DeleteFileW, MoveFileExW, GetModuleFileNameW, InterlockedExchange, FreeLibrary, LoadLibraryExW, SetConsoleCtrlHandler, InterlockedIncrement, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, GetCurrentThread, GetCurrentThreadId, GetModuleFileNameA, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetTickCount64, SetConsoleMode
                                                      wsnmp32.dll
                                                      CRYPT32.dllCertGetEnhancedKeyUsage
                                                      ole32.dllCreateAntiMoniker, OleSetAutoConvert, StringFromIID, HMETAFILE_UserUnmarshal, OleRegGetMiscStatus, RegisterDragDrop, CreateStreamOnHGlobal
                                                      SHELL32.dllShellExecuteA, FindExecutableA, SHGetFileInfo
                                                      pdh.dllPdhOpenLogW, PdhBrowseCountersW
                                                      WINMM.dllwaveOutBreakLoop, midiInPrepareHeader, mmioGetInfo, joyGetPosEx, mixerMessage, waveInUnprepareHeader, mmioAdvance, mmioRenameA
                                                      USER32.dllShowWindow

                                                      Possible Origin

                                                      Language of compilation systemCountry where language is spokenMap
                                                      ChineseTaiwan

                                                      Network Behavior

                                                      Snort IDS Alerts

                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                      01/22/21-07:30:35.963522TCP2025019ET TROJAN Possible NanoCore C2 60B497375090192.168.2.491.193.75.155
                                                      01/22/21-07:30:43.444799TCP2025019ET TROJAN Possible NanoCore C2 60B497385090192.168.2.491.193.75.155
                                                      01/22/21-07:30:51.244977TCP2025019ET TROJAN Possible NanoCore C2 60B497415090192.168.2.491.193.75.155
                                                      01/22/21-07:30:58.286261TCP2025019ET TROJAN Possible NanoCore C2 60B497435090192.168.2.491.193.75.155
                                                      01/22/21-07:31:05.172412TCP2025019ET TROJAN Possible NanoCore C2 60B497445090192.168.2.491.193.75.155
                                                      01/22/21-07:31:12.170639TCP2025019ET TROJAN Possible NanoCore C2 60B497525090192.168.2.491.193.75.155
                                                      01/22/21-07:31:19.876213TCP2025019ET TROJAN Possible NanoCore C2 60B497585090192.168.2.491.193.75.155
                                                      01/22/21-07:31:26.508386TCP2025019ET TROJAN Possible NanoCore C2 60B497625090192.168.2.491.193.75.155
                                                      01/22/21-07:31:32.711233TCP2025019ET TROJAN Possible NanoCore C2 60B497685090192.168.2.491.193.75.155
                                                      01/22/21-07:31:38.673936TCP2025019ET TROJAN Possible NanoCore C2 60B497695090192.168.2.491.193.75.155
                                                      01/22/21-07:31:45.771730TCP2025019ET TROJAN Possible NanoCore C2 60B497705090192.168.2.491.193.75.155
                                                      01/22/21-07:31:51.904335TCP2025019ET TROJAN Possible NanoCore C2 60B497715090192.168.2.491.193.75.155
                                                      01/22/21-07:31:59.176544TCP2025019ET TROJAN Possible NanoCore C2 60B497725090192.168.2.491.193.75.155
                                                      01/22/21-07:32:05.936635TCP2025019ET TROJAN Possible NanoCore C2 60B497755090192.168.2.491.193.75.155
                                                      01/22/21-07:32:13.035831TCP2025019ET TROJAN Possible NanoCore C2 60B497765090192.168.2.491.193.75.155
                                                      01/22/21-07:32:19.932310TCP2025019ET TROJAN Possible NanoCore C2 60B497775090192.168.2.491.193.75.155
                                                      01/22/21-07:32:26.960210TCP2025019ET TROJAN Possible NanoCore C2 60B497785090192.168.2.491.193.75.155
                                                      01/22/21-07:32:33.984764TCP2025019ET TROJAN Possible NanoCore C2 60B497795090192.168.2.491.193.75.155
                                                      01/22/21-07:32:41.028507TCP2025019ET TROJAN Possible NanoCore C2 60B497805090192.168.2.491.193.75.155
                                                      01/22/21-07:32:48.367382TCP2025019ET TROJAN Possible NanoCore C2 60B497815090192.168.2.491.193.75.155
                                                      01/22/21-07:32:55.282856TCP2025019ET TROJAN Possible NanoCore C2 60B497825090192.168.2.491.193.75.155
                                                      01/22/21-07:33:03.415066TCP2025019ET TROJAN Possible NanoCore C2 60B497835090192.168.2.491.193.75.155
                                                      01/22/21-07:33:10.340730TCP2025019ET TROJAN Possible NanoCore C2 60B497845090192.168.2.491.193.75.155
                                                      01/22/21-07:33:17.449587TCP2025019ET TROJAN Possible NanoCore C2 60B497855090192.168.2.491.193.75.155
                                                      01/22/21-07:33:24.254331TCP2025019ET TROJAN Possible NanoCore C2 60B497865090192.168.2.491.193.75.155
                                                      01/22/21-07:33:31.359828TCP2025019ET TROJAN Possible NanoCore C2 60B497875090192.168.2.491.193.75.155

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 22, 2021 07:30:20.956803083 CET49721443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.013168097 CET4434972192.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.013232946 CET4434972192.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.013360977 CET49721443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.013421059 CET49721443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.014260054 CET4434972192.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.014326096 CET4434972192.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.014359951 CET49721443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.014389992 CET49721443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.016556025 CET4434972192.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.016612053 CET4434972192.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.016670942 CET49721443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.016699076 CET49721443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.018930912 CET4434972192.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.019045115 CET49721443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.116935968 CET49721443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.135690928 CET49718443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.145804882 CET49720443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.174531937 CET4434972192.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.174561024 CET4434972192.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.174685955 CET49721443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.175635099 CET4434972192.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.175720930 CET49721443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.197650909 CET4434971892.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.197694063 CET4434971892.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.197871923 CET49718443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.197925091 CET49718443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.198873043 CET4434971892.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.198899031 CET4434971892.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.199003935 CET49718443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.201628923 CET4434971892.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.201677084 CET4434971892.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.201725006 CET49718443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.201759100 CET49718443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.204328060 CET4434971892.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.204370975 CET4434971892.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.204435110 CET49718443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.204461098 CET49718443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.207010031 CET4434971892.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.207043886 CET4434971892.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.207102060 CET49718443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.207128048 CET49718443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.208759069 CET4434972092.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.208794117 CET4434972092.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.208839893 CET49720443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.208884001 CET49720443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.209450006 CET49721443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.209716082 CET4434971892.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.209759951 CET4434971892.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.209803104 CET49718443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.209829092 CET49718443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.210047960 CET4434972092.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.210091114 CET4434972092.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.210115910 CET49720443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.210144043 CET49720443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.212443113 CET4434971892.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.212486982 CET4434971892.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.212543011 CET49718443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.212560892 CET49718443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.212590933 CET4434972092.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.212629080 CET4434972092.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.212651014 CET49720443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.212696075 CET49720443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.215147018 CET4434971892.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.215195894 CET4434971892.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.215233088 CET49718443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.215244055 CET4434972092.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.215260029 CET49718443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.215308905 CET49720443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.217942953 CET4434971892.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.218010902 CET4434971892.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.218050957 CET49718443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.218101025 CET49718443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.220582962 CET4434971892.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.220626116 CET4434971892.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.220695972 CET49718443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.220732927 CET49718443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.223262072 CET4434971892.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.223306894 CET4434971892.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.223351002 CET49718443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.223386049 CET49718443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.225946903 CET4434971892.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.226032019 CET49718443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.227494955 CET49718443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.237905979 CET49720443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.270323038 CET4434972192.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.270376921 CET4434972192.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.270437956 CET49721443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.270474911 CET49721443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.270895958 CET4434972192.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.270937920 CET4434972192.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.270975113 CET49721443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.270996094 CET49721443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.273289919 CET4434972192.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.273345947 CET4434972192.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.273397923 CET49721443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.273418903 CET49721443192.168.2.492.122.145.220
                                                      Jan 22, 2021 07:30:21.275707960 CET4434972192.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.275753975 CET4434972192.122.145.220192.168.2.4
                                                      Jan 22, 2021 07:30:21.275809050 CET49721443192.168.2.492.122.145.220

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 22, 2021 07:30:21.378611088 CET4925753192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:30:21.437596083 CET53492578.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:30:22.342644930 CET6238953192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:30:22.393596888 CET53623898.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:30:23.256931067 CET4991053192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:30:23.304858923 CET53499108.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:30:24.218707085 CET5585453192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:30:24.266788006 CET53558548.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:30:25.174165010 CET6454953192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:30:25.222306013 CET53645498.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:30:26.386390924 CET6315353192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:30:26.434209108 CET53631538.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:30:27.415808916 CET5299153192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:30:27.463816881 CET53529918.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:30:28.397255898 CET5370053192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:30:28.447101116 CET53537008.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:30:29.365123987 CET5172653192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:30:29.423111916 CET53517268.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:30:30.347744942 CET5679453192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:30:30.395719051 CET53567948.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:30:31.332916021 CET5653453192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:30:31.380970955 CET53565348.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:30:32.502029896 CET5662753192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:30:32.554056883 CET53566278.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:30:33.941205978 CET5662153192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:30:33.991930008 CET53566218.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:30:34.928697109 CET6311653192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:30:34.977129936 CET53631168.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:30:35.115108013 CET6407853192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:30:35.336199999 CET53640788.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:30:42.504307985 CET6480153192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:30:42.758469105 CET53648018.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:30:50.225294113 CET6172153192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:30:50.273416996 CET53617218.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:30:50.539695024 CET5125553192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:30:50.770622969 CET53512558.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:30:54.140110970 CET6152253192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:30:54.203713894 CET53615228.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:30:57.723223925 CET5233753192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:30:57.780884027 CET53523378.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:31:04.654083014 CET5504653192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:31:04.710472107 CET53550468.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:31:09.095591068 CET4961253192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:31:09.143719912 CET53496128.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:31:09.747498989 CET4928553192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:31:09.803611994 CET53492858.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:31:10.393574953 CET5060153192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:31:10.452713013 CET53506018.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:31:10.756057978 CET6087553192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:31:10.824704885 CET53608758.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:31:10.857202053 CET5644853192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:31:10.895068884 CET5917253192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:31:10.914729118 CET53564488.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:31:10.955908060 CET53591728.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:31:11.368948936 CET6242053192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:31:11.417228937 CET53624208.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:31:11.654519081 CET6057953192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:31:11.713551998 CET53605798.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:31:12.099128962 CET5018353192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:31:12.156215906 CET53501838.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:31:12.684833050 CET6153153192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:31:12.735503912 CET53615318.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:31:13.443432093 CET4922853192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:31:13.502599955 CET53492288.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:31:14.561983109 CET5979453192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:31:14.609958887 CET53597948.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:31:15.153989077 CET5591653192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:31:15.201973915 CET53559168.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:31:18.996299028 CET5275253192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:31:19.047084093 CET53527528.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:31:24.843041897 CET6054253192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:31:24.893831015 CET53605428.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:31:25.182035923 CET6068953192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:31:25.255044937 CET53606898.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:31:26.004311085 CET6420653192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:31:26.060651064 CET53642068.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:31:28.776148081 CET5090453192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:31:28.833760023 CET53509048.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:31:32.123198986 CET5752553192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:31:32.181315899 CET53575258.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:31:37.996712923 CET5381453192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:31:38.216588974 CET53538148.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:31:45.238523006 CET5341853192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:31:45.294686079 CET53534188.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:31:51.241583109 CET6283353192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:31:51.462378979 CET53628338.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:31:58.366811991 CET5926053192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:31:58.591681004 CET53592608.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:31:59.609966993 CET4994453192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:31:59.658224106 CET53499448.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:32:02.383984089 CET6330053192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:32:02.454840899 CET53633008.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:32:05.423141956 CET6144953192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:32:05.481987000 CET53614498.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:32:12.499536037 CET5127553192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:32:12.555836916 CET53512758.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:32:19.415810108 CET6349253192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:32:19.474915981 CET53634928.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:32:26.407856941 CET5894553192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:32:26.464147091 CET53589458.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:32:33.422535896 CET6077953192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:32:33.478782892 CET53607798.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:32:40.510041952 CET6401453192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:32:40.569143057 CET53640148.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:32:47.811078072 CET5709153192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:32:47.867594004 CET53570918.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:32:54.770771980 CET5590453192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:32:54.821542978 CET53559048.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:33:02.690608978 CET5210953192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:33:02.911175966 CET53521098.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:33:09.673223019 CET5445053192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:33:09.891906023 CET53544508.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:33:16.929156065 CET4937453192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:33:16.988557100 CET53493748.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:33:23.721820116 CET5043653192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:33:23.778325081 CET53504368.8.8.8192.168.2.4
                                                      Jan 22, 2021 07:33:30.837969065 CET6260553192.168.2.48.8.8.8
                                                      Jan 22, 2021 07:33:30.894315004 CET53626058.8.8.8192.168.2.4

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      Jan 22, 2021 07:30:35.115108013 CET192.168.2.48.8.8.80x8081Standard query (0)mimi121.duckdns.orgA (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:30:42.504307985 CET192.168.2.48.8.8.80x8b76Standard query (0)mimi121.duckdns.orgA (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:30:50.539695024 CET192.168.2.48.8.8.80x47bfStandard query (0)mimi121.duckdns.orgA (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:30:57.723223925 CET192.168.2.48.8.8.80x18bcStandard query (0)mimi121.duckdns.orgA (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:31:04.654083014 CET192.168.2.48.8.8.80x52f6Standard query (0)mimi121.duckdns.orgA (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:31:11.654519081 CET192.168.2.48.8.8.80x98ceStandard query (0)mimi121.duckdns.orgA (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:31:18.996299028 CET192.168.2.48.8.8.80xc52bStandard query (0)mimi121.duckdns.orgA (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:31:26.004311085 CET192.168.2.48.8.8.80xb97bStandard query (0)mimi121.duckdns.orgA (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:31:32.123198986 CET192.168.2.48.8.8.80xbbedStandard query (0)mimi121.duckdns.orgA (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:31:37.996712923 CET192.168.2.48.8.8.80x2d2aStandard query (0)mimi121.duckdns.orgA (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:31:45.238523006 CET192.168.2.48.8.8.80x9786Standard query (0)mimi121.duckdns.orgA (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:31:51.241583109 CET192.168.2.48.8.8.80x7d59Standard query (0)mimi121.duckdns.orgA (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:31:58.366811991 CET192.168.2.48.8.8.80x8811Standard query (0)mimi121.duckdns.orgA (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:32:05.423141956 CET192.168.2.48.8.8.80xb1a0Standard query (0)mimi121.duckdns.orgA (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:32:12.499536037 CET192.168.2.48.8.8.80xeb3eStandard query (0)mimi121.duckdns.orgA (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:32:19.415810108 CET192.168.2.48.8.8.80x5110Standard query (0)mimi121.duckdns.orgA (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:32:26.407856941 CET192.168.2.48.8.8.80x3361Standard query (0)mimi121.duckdns.orgA (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:32:33.422535896 CET192.168.2.48.8.8.80x1b93Standard query (0)mimi121.duckdns.orgA (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:32:40.510041952 CET192.168.2.48.8.8.80x6233Standard query (0)mimi121.duckdns.orgA (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:32:47.811078072 CET192.168.2.48.8.8.80x202Standard query (0)mimi121.duckdns.orgA (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:32:54.770771980 CET192.168.2.48.8.8.80xca19Standard query (0)mimi121.duckdns.orgA (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:33:02.690608978 CET192.168.2.48.8.8.80xed44Standard query (0)mimi121.duckdns.orgA (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:33:09.673223019 CET192.168.2.48.8.8.80x24d0Standard query (0)mimi121.duckdns.orgA (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:33:16.929156065 CET192.168.2.48.8.8.80x74a0Standard query (0)mimi121.duckdns.orgA (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:33:23.721820116 CET192.168.2.48.8.8.80x8bb5Standard query (0)mimi121.duckdns.orgA (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:33:30.837969065 CET192.168.2.48.8.8.80x41bdStandard query (0)mimi121.duckdns.orgA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      Jan 22, 2021 07:30:35.336199999 CET8.8.8.8192.168.2.40x8081No error (0)mimi121.duckdns.org91.193.75.155A (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:30:42.758469105 CET8.8.8.8192.168.2.40x8b76No error (0)mimi121.duckdns.org91.193.75.155A (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:30:50.770622969 CET8.8.8.8192.168.2.40x47bfNo error (0)mimi121.duckdns.org91.193.75.155A (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:30:57.780884027 CET8.8.8.8192.168.2.40x18bcNo error (0)mimi121.duckdns.org91.193.75.155A (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:31:04.710472107 CET8.8.8.8192.168.2.40x52f6No error (0)mimi121.duckdns.org91.193.75.155A (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:31:11.713551998 CET8.8.8.8192.168.2.40x98ceNo error (0)mimi121.duckdns.org91.193.75.155A (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:31:19.047084093 CET8.8.8.8192.168.2.40xc52bNo error (0)mimi121.duckdns.org91.193.75.155A (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:31:26.060651064 CET8.8.8.8192.168.2.40xb97bNo error (0)mimi121.duckdns.org91.193.75.155A (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:31:32.181315899 CET8.8.8.8192.168.2.40xbbedNo error (0)mimi121.duckdns.org91.193.75.155A (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:31:38.216588974 CET8.8.8.8192.168.2.40x2d2aNo error (0)mimi121.duckdns.org91.193.75.155A (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:31:45.294686079 CET8.8.8.8192.168.2.40x9786No error (0)mimi121.duckdns.org91.193.75.155A (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:31:51.462378979 CET8.8.8.8192.168.2.40x7d59No error (0)mimi121.duckdns.org91.193.75.155A (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:31:58.591681004 CET8.8.8.8192.168.2.40x8811No error (0)mimi121.duckdns.org91.193.75.155A (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:32:05.481987000 CET8.8.8.8192.168.2.40xb1a0No error (0)mimi121.duckdns.org91.193.75.155A (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:32:12.555836916 CET8.8.8.8192.168.2.40xeb3eNo error (0)mimi121.duckdns.org91.193.75.155A (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:32:19.474915981 CET8.8.8.8192.168.2.40x5110No error (0)mimi121.duckdns.org91.193.75.155A (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:32:26.464147091 CET8.8.8.8192.168.2.40x3361No error (0)mimi121.duckdns.org91.193.75.155A (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:32:33.478782892 CET8.8.8.8192.168.2.40x1b93No error (0)mimi121.duckdns.org91.193.75.155A (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:32:40.569143057 CET8.8.8.8192.168.2.40x6233No error (0)mimi121.duckdns.org91.193.75.155A (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:32:47.867594004 CET8.8.8.8192.168.2.40x202No error (0)mimi121.duckdns.org91.193.75.155A (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:32:54.821542978 CET8.8.8.8192.168.2.40xca19No error (0)mimi121.duckdns.org91.193.75.155A (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:33:02.911175966 CET8.8.8.8192.168.2.40xed44No error (0)mimi121.duckdns.org91.193.75.155A (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:33:09.891906023 CET8.8.8.8192.168.2.40x24d0No error (0)mimi121.duckdns.org91.193.75.155A (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:33:16.988557100 CET8.8.8.8192.168.2.40x74a0No error (0)mimi121.duckdns.org91.193.75.155A (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:33:23.778325081 CET8.8.8.8192.168.2.40x8bb5No error (0)mimi121.duckdns.org91.193.75.155A (IP address)IN (0x0001)
                                                      Jan 22, 2021 07:33:30.894315004 CET8.8.8.8192.168.2.40x41bdNo error (0)mimi121.duckdns.org91.193.75.155A (IP address)IN (0x0001)

                                                      Code Manipulations

                                                      Statistics

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      Analysis Process: TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE PID: 5816 Parent PID: 5956

                                                      General

                                                      Start time:07:30:27
                                                      Start date:22/01/2021
                                                      Path:C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE'
                                                      Imagebase:0xa50000
                                                      File size:542720 bytes
                                                      MD5 hash:D40D97B41A353BC42B0E7EBE451886D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.656614146.0000000000AB0000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.656614146.0000000000AB0000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.656614146.0000000000AB0000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.656614146.0000000000AB0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      Reputation:low

                                                      Analysis Process: conhost.exe PID: 1372 Parent PID: 5816

                                                      General

                                                      Start time:07:30:27
                                                      Start date:22/01/2021
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff724c50000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: MSBuild.exe PID: 2204 Parent PID: 5816

                                                      General

                                                      Start time:07:30:29
                                                      Start date:22/01/2021
                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\Desktop\TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXE'
                                                      Imagebase:0xad0000
                                                      File size:261728 bytes
                                                      MD5 hash:D621FD77BD585874F9686D3A76462EF1
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.1047366764.0000000006580000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.1047366764.0000000006580000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.1047366764.0000000006580000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.1044661467.00000000040D9000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.1044661467.00000000040D9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.1047272619.00000000064F0000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.1047272619.00000000064F0000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.1041355870.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.1041355870.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.1041355870.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      Reputation:moderate

                                                      Analysis Process: schtasks.exe PID: 7024 Parent PID: 2204

                                                      General

                                                      Start time:07:30:32
                                                      Start date:22/01/2021
                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp731A.tmp'
                                                      Imagebase:0xc40000
                                                      File size:185856 bytes
                                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: conhost.exe PID: 5724 Parent PID: 7024

                                                      General

                                                      Start time:07:30:32
                                                      Start date:22/01/2021
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff724c50000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: schtasks.exe PID: 6764 Parent PID: 2204

                                                      General

                                                      Start time:07:30:33
                                                      Start date:22/01/2021
                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp7609.tmp'
                                                      Imagebase:0xc40000
                                                      File size:185856 bytes
                                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: conhost.exe PID: 6708 Parent PID: 6764

                                                      General

                                                      Start time:07:30:33
                                                      Start date:22/01/2021
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff724c50000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: MSBuild.exe PID: 6908 Parent PID: 968

                                                      General

                                                      Start time:07:30:34
                                                      Start date:22/01/2021
                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 0
                                                      Imagebase:0x10000
                                                      File size:261728 bytes
                                                      MD5 hash:D621FD77BD585874F9686D3A76462EF1
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Reputation:moderate

                                                      Analysis Process: conhost.exe PID: 6964 Parent PID: 6908

                                                      General

                                                      Start time:07:30:35
                                                      Start date:22/01/2021
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff724c50000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: dhcpmon.exe PID: 6968 Parent PID: 968

                                                      General

                                                      Start time:07:30:35
                                                      Start date:22/01/2021
                                                      Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                                      Imagebase:0xc70000
                                                      File size:261728 bytes
                                                      MD5 hash:D621FD77BD585874F9686D3A76462EF1
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Antivirus matches:
                                                      • Detection: 0%, Metadefender, Browse
                                                      • Detection: 0%, ReversingLabs
                                                      Reputation:moderate

                                                      Analysis Process: conhost.exe PID: 6796 Parent PID: 6968

                                                      General

                                                      Start time:07:30:35
                                                      Start date:22/01/2021
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff724c50000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: dhcpmon.exe PID: 2480 Parent PID: 3424

                                                      General

                                                      Start time:07:30:41
                                                      Start date:22/01/2021
                                                      Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                      Imagebase:0x10000
                                                      File size:261728 bytes
                                                      MD5 hash:D621FD77BD585874F9686D3A76462EF1
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Reputation:moderate

                                                      Analysis Process: conhost.exe PID: 6080 Parent PID: 2480

                                                      General

                                                      Start time:07:30:42
                                                      Start date:22/01/2021
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff724c50000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Disassembly

                                                      Code Analysis

                                                      Reset < >