Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.98.182 |
Source: 0000000C.00000002.503235354.0000000020790000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 0000000C.00000002.501121759.000000001ED77000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0000000C.00000002.502878730.0000000020500000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: Process Memory Space: RegAsm.exe PID: 808, type: MEMORY |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 12.2.RegAsm.exe.1dd516dc.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 12.2.RegAsm.exe.1ed8ea94.5.raw.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 12.2.RegAsm.exe.1ed8ea94.5.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 12.2.RegAsm.exe.20790000.10.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 12.2.RegAsm.exe.20500000.8.raw.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 12.2.RegAsm.exe.1ed930bd.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 12.2.RegAsm.exe.20790000.10.raw.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 12.2.RegAsm.exe.20794629.11.raw.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 12.2.RegAsm.exe.1ed89c5e.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 12.2.RegAsm.exe.1ed89c5e.3.raw.unpack, type: UNPACKEDPE |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_0100700D NtProtectVirtualMemory, |
12_2_0100700D |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_010074F1 NtQueryInformationProcess, |
12_2_010074F1 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01007509 NtQueryInformationProcess, |
12_2_01007509 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01007521 NtQueryInformationProcess, |
12_2_01007521 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01007538 NtQueryInformationProcess, |
12_2_01007538 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01007555 NtQueryInformationProcess, |
12_2_01007555 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01007167 NtQueryInformationProcess, |
12_2_01007167 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01007587 NtQueryInformationProcess, |
12_2_01007587 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_0100759D NtQueryInformationProcess, |
12_2_0100759D |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_010075B2 NtQueryInformationProcess, |
12_2_010075B2 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_010075E4 NtQueryInformationProcess, |
12_2_010075E4 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_010075FD NtQueryInformationProcess, |
12_2_010075FD |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_0100700B LoadLibraryA,NtProtectVirtualMemory, |
12_2_0100700B |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_0100704C NtQueryInformationProcess, |
12_2_0100704C |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_0100744E NtQueryInformationProcess, |
12_2_0100744E |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01007063 NtQueryInformationProcess, |
12_2_01007063 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01007086 NtQueryInformationProcess, |
12_2_01007086 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_010070A5 NtQueryInformationProcess, |
12_2_010070A5 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_010070BC NtQueryInformationProcess, |
12_2_010070BC |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01007707 NtQueryInformationProcess, |
12_2_01007707 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01007727 NtQueryInformationProcess, |
12_2_01007727 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01006FB1 NtProtectVirtualMemory, |
12_2_01006FB1 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01006FCB NtProtectVirtualMemory,NtQueryInformationProcess, |
12_2_01006FCB |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01007615 NtQueryInformationProcess, |
12_2_01007615 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01007635 NtQueryInformationProcess, |
12_2_01007635 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_0100764D NtQueryInformationProcess, |
12_2_0100764D |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_010076A6 NtQueryInformationProcess, |
12_2_010076A6 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_200A16DA NtQuerySystemInformation, |
12_2_200A16DA |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_200A169F NtQuerySystemInformation, |
12_2_200A169F |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01006599 |
12_2_01006599 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1FF623A0 |
12_2_1FF623A0 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1FF62FA8 |
12_2_1FF62FA8 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1FF6B2A8 |
12_2_1FF6B2A8 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1FF689D8 |
12_2_1FF689D8 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1FF6969F |
12_2_1FF6969F |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1FF695D8 |
12_2_1FF695D8 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1FF6306F |
12_2_1FF6306F |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 24_2_048401B7 |
24_2_048401B7 |
Source: C:\Users\user\subfolder1\filename1.exe |
Code function: 29_2_00409851 |
29_2_00409851 |
Source: C:\Users\user\subfolder1\filename1.exe |
Code function: 29_2_0040987E |
29_2_0040987E |
Source: C:\Users\user\subfolder1\filename1.exe |
Code function: 29_2_00409828 |
29_2_00409828 |
Source: C:\Users\user\subfolder1\filename1.exe |
Code function: 29_2_004098D6 |
29_2_004098D6 |
Source: C:\Users\user\subfolder1\filename1.exe |
Code function: 29_2_0040990A |
29_2_0040990A |
Source: C:\Users\user\subfolder1\filename1.exe |
Code function: 29_2_00409932 |
29_2_00409932 |
Source: C:\Users\user\subfolder1\filename1.exe |
Code function: 29_2_004099DD |
29_2_004099DD |
Source: C:\Users\user\subfolder1\filename1.exe |
Code function: 29_2_0040998E |
29_2_0040998E |
Source: C:\Users\user\subfolder1\filename1.exe |
Code function: 29_2_004099B7 |
29_2_004099B7 |
Source: C:\Users\user\subfolder1\filename1.exe |
Code function: 29_2_00409A62 |
29_2_00409A62 |
Source: C:\Users\user\subfolder1\filename1.exe |
Code function: 29_2_00409A09 |
29_2_00409A09 |
Source: C:\Users\user\subfolder1\filename1.exe |
Code function: 29_2_00409AC1 |
29_2_00409AC1 |
Source: C:\Users\user\subfolder1\filename1.exe |
Code function: 29_2_00409AF2 |
29_2_00409AF2 |
Source: C:\Users\user\subfolder1\filename1.exe |
Code function: 29_2_00409A94 |
29_2_00409A94 |
Source: C:\Users\user\subfolder1\filename1.exe |
Code function: 29_2_00409B48 |
29_2_00409B48 |
Source: C:\Users\user\subfolder1\filename1.exe |
Code function: 29_2_0040976B |
29_2_0040976B |
Source: C:\Users\user\subfolder1\filename1.exe |
Code function: 29_2_00409B1E |
29_2_00409B1E |
Source: C:\Users\user\subfolder1\filename1.exe |
Code function: 29_2_00409739 |
29_2_00409739 |
Source: C:\Users\user\subfolder1\filename1.exe |
Code function: 29_2_00409BC3 |
29_2_00409BC3 |
Source: C:\Users\user\subfolder1\filename1.exe |
Code function: 29_2_004097CB |
29_2_004097CB |
Source: C:\Users\user\subfolder1\filename1.exe |
Code function: 29_2_004093F4 |
29_2_004093F4 |
Source: C:\Users\user\subfolder1\filename1.exe |
Code function: 29_2_004097FA |
29_2_004097FA |
Source: C:\Users\user\subfolder1\filename1.exe |
Code function: 29_2_00409798 |
29_2_00409798 |
Source: C:\Users\user\subfolder1\filename1.exe |
Code function: 29_2_00405934 |
29_2_00405934 |
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe |
Code function: 30_2_022D01B7 |
30_2_022D01B7 |
Source: 0000000C.00000002.503235354.0000000020790000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 0000000C.00000002.503235354.0000000020790000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0000000C.00000002.501121759.000000001ED77000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 0000000C.00000002.502878730.0000000020500000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 0000000C.00000002.502878730.0000000020500000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: Process Memory Space: RegAsm.exe PID: 808, type: MEMORY |
Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 12.2.RegAsm.exe.1dd516dc.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 12.2.RegAsm.exe.1dd516dc.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 12.2.RegAsm.exe.1ed8ea94.5.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 12.2.RegAsm.exe.1ed8ea94.5.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 12.2.RegAsm.exe.1ed8ea94.5.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 12.2.RegAsm.exe.1ed8ea94.5.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 12.2.RegAsm.exe.20790000.10.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 12.2.RegAsm.exe.20790000.10.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 12.2.RegAsm.exe.20500000.8.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 12.2.RegAsm.exe.20500000.8.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 12.2.RegAsm.exe.1ed930bd.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 12.2.RegAsm.exe.1ed930bd.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 12.2.RegAsm.exe.20790000.10.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 12.2.RegAsm.exe.20790000.10.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 12.2.RegAsm.exe.20794629.11.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 12.2.RegAsm.exe.20794629.11.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 12.2.RegAsm.exe.1ed89c5e.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 12.2.RegAsm.exe.1ed89c5e.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 12.2.RegAsm.exe.1ed89c5e.3.raw.unpack, type: UNPACKEDPE |
Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01006C27 push eax; ret |
12_2_01006C87 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01006C41 push eax; ret |
12_2_01006C87 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1DBA74B8 push ebp; ret |
12_2_1DBA74B9 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1DBA74AC push ecx; ret |
12_2_1DBA74AD |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1DBAAAF0 push cs; retf |
12_2_1DBAAB07 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1DBAABD8 push cs; retf |
12_2_1DBAABEF |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1DBA9D73 pushad ; retf |
12_2_1DBA9D79 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1DBAAB64 push cs; retf |
12_2_1DBAAB7B |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1FF64369 push esi; retn 001Dh |
12_2_1FF6436A |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1FF64339 push ebp; retn 001Dh |
12_2_1FF6433A |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1FF64269 push ebp; retn 001Dh |
12_2_1FF6426A |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1FF645B9 push edi; retn 001Dh |
12_2_1FF645BA |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1FF661A0 push esp; retn 001Dh |
12_2_1FF661A1 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1FF64180 push ebp; retn 001Dh |
12_2_1FF64182 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1FF63970 push ecx; retn 001Dh |
12_2_1FF63B02 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1FF60170 pushad ; retn 001Dh |
12_2_1FF60171 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1FF60961 push 16B2E872h; ret |
12_2_1FF60968 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1FF6096D push ss; ret |
12_2_1FF60974 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1FF60D59 push 12B5E872h; ret |
12_2_1FF60D65 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1FF63D40 push esp; retn 001Dh |
12_2_1FF63F7A |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1FF64127 push esp; retn 001Dh |
12_2_1FF6412A |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1FF64511 push edi; retn 001Dh |
12_2_1FF64512 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1FF65911 pushad ; retn 001Dh |
12_2_1FF65912 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1FF638F8 push eax; retn F81Dh |
12_2_1FF6396A |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1FF640D1 push esp; retn 001Dh |
12_2_1FF640D2 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_1FF65831 pushad ; retn 001Dh |
12_2_1FF65832 |
Source: C:\Users\user\subfolder1\filename1.exe |
Code function: 29_2_0040E4E3 push ecx; ret |
29_2_0040E543 |
Source: C:\Users\user\subfolder1\filename1.exe |
Code function: 29_2_0040BE2F push esi; ret |
29_2_0040BE41 |
Source: C:\Users\user\Desktop\3Fv4j323nj.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3Fv4j323nj.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\3Fv4j323nj.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\subfolder1\filename1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\subfolder1\filename1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\subfolder1\filename1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_010074F1 NtQueryInformationProcess, |
12_2_010074F1 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_010043E9 InternetOpenA,InternetOpenUrlA, |
12_2_010043E9 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01002D02 |
12_2_01002D02 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01003125 |
12_2_01003125 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01002D2D |
12_2_01002D2D |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01002D73 |
12_2_01002D73 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01002D8D |
12_2_01002D8D |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01002DAA |
12_2_01002DAA |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01002DC5 |
12_2_01002DC5 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01002DEE |
12_2_01002DEE |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01003019 |
12_2_01003019 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_0100302B |
12_2_0100302B |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01002C4B |
12_2_01002C4B |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_0100704C NtQueryInformationProcess, |
12_2_0100704C |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01007063 NtQueryInformationProcess, |
12_2_01007063 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01002C69 |
12_2_01002C69 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01002C81 |
12_2_01002C81 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01007086 NtQueryInformationProcess, |
12_2_01007086 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01003092 |
12_2_01003092 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01002C97 |
12_2_01002C97 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_010030B5 |
12_2_010030B5 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01002CB5 |
12_2_01002CB5 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01002CE3 |
12_2_01002CE3 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_010030EF |
12_2_010030EF |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01002F0D |
12_2_01002F0D |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01002F71 |
12_2_01002F71 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01002F85 |
12_2_01002F85 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01002FC1 |
12_2_01002FC1 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01006FCB NtProtectVirtualMemory,NtQueryInformationProcess, |
12_2_01006FCB |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01002FD2 |
12_2_01002FD2 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01002BF5 |
12_2_01002BF5 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01002E1D |
12_2_01002E1D |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01002E4C |
12_2_01002E4C |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01002E6D |
12_2_01002E6D |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01002EB2 |
12_2_01002EB2 |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Code function: 12_2_01002EC4 |
12_2_01002EC4 |
Source: C:\Users\user\Desktop\3Fv4j323nj.exe |
RDTSC instruction interceptor: First address: 0000000000667097 second address: 0000000000667097 instructions: |
Source: C:\Users\user\Desktop\3Fv4j323nj.exe |
RDTSC instruction interceptor: First address: 00000000006639D5 second address: 00000000006639D5 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F46849B7C88h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F46849B7C92h 0x0000001f test bx, FB3Ch 0x00000024 cmp bh, bh 0x00000026 pop ecx 0x00000027 add edi, edx 0x00000029 dec ecx 0x0000002a cmp ecx, 00000000h 0x0000002d jne 00007F46849B7C24h 0x0000002f jmp 00007F46849B7C92h 0x00000031 push ss 0x00000032 pop ss 0x00000033 jmp 00007F46849B7C8Dh 0x00000035 push ecx 0x00000036 jmp 00007F46849B7C92h 0x00000038 test dx, dx 0x0000003b call 00007F46849B7CDFh 0x00000040 call 00007F46849B7C98h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc |
Source: C:\Users\user\Desktop\3Fv4j323nj.exe |
RDTSC instruction interceptor: First address: 0000000000660F13 second address: 0000000000660F13 instructions: |
Source: C:\Users\user\Desktop\3Fv4j323nj.exe |
RDTSC instruction interceptor: First address: 0000000000662D13 second address: 0000000000662D13 instructions: |
Source: C:\Users\user\Desktop\3Fv4j323nj.exe |
RDTSC instruction interceptor: First address: 00000000006632EE second address: 00000000006632EE instructions: |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000001000FE0 second address: 0000000001000FE0 instructions: |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000001001093 second address: 0000000001001093 instructions: |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000001001166 second address: 0000000001001166 instructions: |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000001001216 second address: 0000000001001216 instructions: |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000001004496 second address: 0000000001004496 instructions: |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 00000000010045F2 second address: 00000000010045F2 instructions: |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 000000000100220E second address: 000000000100220E instructions: |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000001002398 second address: 000000000100243D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007F46848E3042h 0x0000000c cmp ax, 00002355h 0x00000010 call 00007F46848E369Bh 0x00000015 cmp dword ptr [edi+00000818h], 00000000h 0x0000001c je 00007F46848E3115h 0x00000022 ret 0x00000023 test edx, ecx 0x00000025 mov eax, dword ptr fs:[00000030h] 0x0000002b mov eax, dword ptr [eax+0Ch] 0x0000002e mov eax, dword ptr [eax+0Ch] 0x00000031 jmp 00007F46848E3042h 0x00000033 test dx, dx 0x00000036 mov ecx, dword ptr [edi+00000808h] 0x0000003c jmp 00007F46848E3037h 0x0000003e mov dword ptr [eax+20h], ecx 0x00000041 jmp 00007F46848E3042h 0x00000043 cmp ah, ch 0x00000045 mov esi, dword ptr [edi+00000800h] 0x0000004b jmp 00007F46848E3042h 0x0000004d fnop 0x0000004f mov dword ptr [eax+18h], esi 0x00000052 add esi, dword ptr [edi+00000850h] 0x00000058 mov dword ptr [eax+1Ch], esi 0x0000005b jmp 00007F46848E3042h 0x0000005d pushad 0x0000005e rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 000000000100243D second address: 00000000010024DF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007F46849B7C92h 0x0000000c cmp ax, 0000D992h 0x00000010 test edx, ecx 0x00000012 cmp dword ptr [ebp+70h], 01h 0x00000016 je 00007F46849B7DFCh 0x0000001c mov esi, edi 0x0000001e add esi, 00001000h 0x00000024 xor ecx, ecx 0x00000026 push ecx 0x00000027 jmp 00007F46849B7C92h 0x00000029 test dx, dx 0x0000002c push edi 0x0000002d mov eax, ebp 0x0000002f add eax, 0000009Ch 0x00000034 push eax 0x00000035 call 00007F46849B8315h 0x0000003a jmp 00007F46849B7C92h 0x0000003c jmp 00007F46849B7C9Ah 0x0000003e test ch, ch 0x00000040 cmp dword ptr [esi+24h], E0000020h 0x00000047 je 00007F46849B7D54h 0x0000004d cmp dword ptr [esi+24h], 60000020h 0x00000054 je 00007F46849B7DC3h 0x0000005a mov ebx, 00000020h 0x0000005f jmp 00007F46849B7C96h 0x00000061 ret 0x00000062 push ebx 0x00000063 jmp 00007F46849B7C92h 0x00000065 cmp ah, ch 0x00000067 mov eax, esi 0x00000069 jmp 00007F46849B7C92h 0x0000006b fnop 0x0000006d add eax, 08h 0x00000070 push eax 0x00000071 mov eax, dword ptr [edi+00000800h] 0x00000077 jmp 00007F46849B7C92h 0x00000079 pushad 0x0000007a rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 00000000010024DF second address: 00000000010024DF instructions: |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000001002599 second address: 0000000001002599 instructions: |
Source: C:\Users\user\Desktop\3Fv4j323nj.exe |
RDTSC instruction interceptor: First address: 0000000000667097 second address: 0000000000667097 instructions: |
Source: C:\Users\user\Desktop\3Fv4j323nj.exe |
RDTSC instruction interceptor: First address: 00000000006639D5 second address: 00000000006639D5 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F46849B7C88h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F46849B7C92h 0x0000001f test bx, FB3Ch 0x00000024 cmp bh, bh 0x00000026 pop ecx 0x00000027 add edi, edx 0x00000029 dec ecx 0x0000002a cmp ecx, 00000000h 0x0000002d jne 00007F46849B7C24h 0x0000002f jmp 00007F46849B7C92h 0x00000031 push ss 0x00000032 pop ss 0x00000033 jmp 00007F46849B7C8Dh 0x00000035 push ecx 0x00000036 jmp 00007F46849B7C92h 0x00000038 test dx, dx 0x0000003b call 00007F46849B7CDFh 0x00000040 call 00007F46849B7C98h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc |
Source: C:\Users\user\Desktop\3Fv4j323nj.exe |
RDTSC instruction interceptor: First address: 0000000000663C6A second address: 0000000000663C6A instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F46848E55B2h 0x0000001d popad 0x0000001e call 00007F46848E307Dh 0x00000023 lfence 0x00000026 rdtsc |
Source: C:\Users\user\Desktop\3Fv4j323nj.exe |
RDTSC instruction interceptor: First address: 0000000000666A3C second address: 0000000000666B00 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+18h] 0x0000000f jmp 00007F46849B7C92h 0x00000011 cmp bl, FFFFFFE7h 0x00000014 mov byte ptr [eax], FFFFFF90h 0x00000017 jmp 00007F46849B7C92h 0x00000019 cmp ax, dx 0x0000001c mov eax, dword ptr [esp+1Ch] 0x00000020 mov byte ptr [eax], 0000006Ah 0x00000023 jmp 00007F46849B7C92h 0x00000025 jmp 00007F46849B7C9Eh 0x00000027 mov byte ptr [eax+01h], 00000000h 0x0000002b mov byte ptr [eax+02h], FFFFFFB8h 0x0000002f jmp 00007F46849B7C92h 0x00000031 test ax, cx 0x00000034 mov edx, dword ptr [ebp+0000013Ch] 0x0000003a mov dword ptr [eax+03h], edx 0x0000003d jmp 00007F46849B7C92h 0x0000003f cmp dx, cx 0x00000042 jmp 00007F46849B7C92h 0x00000044 pushad 0x00000045 lfence 0x00000048 rdtsc |
Source: C:\Users\user\Desktop\3Fv4j323nj.exe |
RDTSC instruction interceptor: First address: 0000000000666B00 second address: 0000000000666BBF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov byte ptr [eax+07h], FFFFFFFFh 0x0000000f jmp 00007F46848E3042h 0x00000011 cmp bl, 00000038h 0x00000014 mov byte ptr [eax+08h], FFFFFFD0h 0x00000018 jmp 00007F46848E3042h 0x0000001a cmp ax, dx 0x0000001d mov byte ptr [eax+09h], FFFFFFC2h 0x00000021 mov byte ptr [eax+0Ah], 00000004h 0x00000025 mov byte ptr [eax+0Bh], 00000000h 0x00000029 jmp 00007F46848E3042h 0x0000002b jmp 00007F46848E304Eh 0x0000002d jmp 00007F46848E3042h 0x0000002f test ax, cx 0x00000032 mov eax, ebx 0x00000034 jmp 00007F46848E3042h 0x00000036 cmp dx, cx 0x00000039 add eax, dword ptr [esp+08h] 0x0000003d jmp 00007F46848E3042h 0x0000003f pushad 0x00000040 lfence 0x00000043 rdtsc |
Source: C:\Users\user\Desktop\3Fv4j323nj.exe |
RDTSC instruction interceptor: First address: 0000000000666BBF second address: 0000000000666BBF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b inc ebx 0x0000000c cmp ebx, eax 0x0000000e je 00007F46849B7EA5h 0x00000014 jmp 00007F46849B7C92h 0x00000016 cmp bl, 00000041h 0x00000019 cmp byte ptr [ebx], FFFFFFB8h 0x0000001c jne 00007F46849B7C3Eh 0x0000001e jmp 00007F46849B7C92h 0x00000020 pushad 0x00000021 lfence 0x00000024 rdtsc |
Source: C:\Users\user\Desktop\3Fv4j323nj.exe |
RDTSC instruction interceptor: First address: 000000000066767F second address: 00000000006676BA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, dword ptr [edi+00005000h] 0x00000011 cmp dword ptr [eax+04h], 00000000h 0x00000015 jne 00007F46848E3186h 0x0000001b cmp dword ptr [eax+08h], 00000000h 0x0000001f jne 00007F46848E317Ch 0x00000025 jmp 00007F46848E3042h 0x00000027 pushad 0x00000028 lfence 0x0000002b rdtsc |
Source: C:\Users\user\Desktop\3Fv4j323nj.exe |
RDTSC instruction interceptor: First address: 0000000000660F13 second address: 0000000000660F13 instructions: |
Source: C:\Users\user\Desktop\3Fv4j323nj.exe |
RDTSC instruction interceptor: First address: 0000000000662D13 second address: 0000000000662D13 instructions: |
Source: C:\Users\user\Desktop\3Fv4j323nj.exe |
RDTSC instruction interceptor: First address: 00000000006632EE second address: 00000000006632EE instructions: |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000001003C6A second address: 0000000001003C6A instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F46848E55B2h 0x0000001d popad 0x0000001e call 00007F46848E307Dh 0x00000023 lfence 0x00000026 rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000001006A3C second address: 0000000001006B00 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+18h] 0x0000000f jmp 00007F46849B7C92h 0x00000011 cmp bl, FFFFFFE7h 0x00000014 mov byte ptr [eax], FFFFFF90h 0x00000017 jmp 00007F46849B7C92h 0x00000019 cmp ax, dx 0x0000001c mov eax, dword ptr [esp+1Ch] 0x00000020 mov byte ptr [eax], 0000006Ah 0x00000023 jmp 00007F46849B7C92h 0x00000025 jmp 00007F46849B7C9Eh 0x00000027 mov byte ptr [eax+01h], 00000000h 0x0000002b mov byte ptr [eax+02h], FFFFFFB8h 0x0000002f jmp 00007F46849B7C92h 0x00000031 test ax, cx 0x00000034 mov edx, dword ptr [ebp+0000013Ch] 0x0000003a mov dword ptr [eax+03h], edx 0x0000003d jmp 00007F46849B7C92h 0x0000003f cmp dx, cx 0x00000042 jmp 00007F46849B7C92h 0x00000044 pushad 0x00000045 lfence 0x00000048 rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000001006B00 second address: 0000000001006BBF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov byte ptr [eax+07h], FFFFFFFFh 0x0000000f jmp 00007F46848E3042h 0x00000011 cmp bl, 00000038h 0x00000014 mov byte ptr [eax+08h], FFFFFFD0h 0x00000018 jmp 00007F46848E3042h 0x0000001a cmp ax, dx 0x0000001d mov byte ptr [eax+09h], FFFFFFC2h 0x00000021 mov byte ptr [eax+0Ah], 00000004h 0x00000025 mov byte ptr [eax+0Bh], 00000000h 0x00000029 jmp 00007F46848E3042h 0x0000002b jmp 00007F46848E304Eh 0x0000002d jmp 00007F46848E3042h 0x0000002f test ax, cx 0x00000032 mov eax, ebx 0x00000034 jmp 00007F46848E3042h 0x00000036 cmp dx, cx 0x00000039 add eax, dword ptr [esp+08h] 0x0000003d jmp 00007F46848E3042h 0x0000003f pushad 0x00000040 lfence 0x00000043 rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000001006BBF second address: 0000000001006BBF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b inc ebx 0x0000000c cmp ebx, eax 0x0000000e je 00007F46849B7EA5h 0x00000014 jmp 00007F46849B7C92h 0x00000016 cmp bl, 00000041h 0x00000019 cmp byte ptr [ebx], FFFFFFB8h 0x0000001c jne 00007F46849B7C3Eh 0x0000001e jmp 00007F46849B7C92h 0x00000020 pushad 0x00000021 lfence 0x00000024 rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 000000000100767F second address: 00000000010076BA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, dword ptr [edi+00005000h] 0x00000011 cmp dword ptr [eax+04h], 00000000h 0x00000015 jne 00007F46848E3186h 0x0000001b cmp dword ptr [eax+08h], 00000000h 0x0000001f jne 00007F46848E317Ch 0x00000025 jmp 00007F46848E3042h 0x00000027 pushad 0x00000028 lfence 0x0000002b rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000001000FE0 second address: 0000000001000FE0 instructions: |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000001001093 second address: 0000000001001093 instructions: |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000001001166 second address: 0000000001001166 instructions: |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000001001216 second address: 0000000001001216 instructions: |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000001004496 second address: 0000000001004496 instructions: |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 00000000010045F2 second address: 00000000010045F2 instructions: |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 000000000100220E second address: 000000000100220E instructions: |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000001002398 second address: 000000000100243D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007F46848E3042h 0x0000000c cmp ax, 00002355h 0x00000010 call 00007F46848E369Bh 0x00000015 cmp dword ptr [edi+00000818h], 00000000h 0x0000001c je 00007F46848E3115h 0x00000022 ret 0x00000023 test edx, ecx 0x00000025 mov eax, dword ptr fs:[00000030h] 0x0000002b mov eax, dword ptr [eax+0Ch] 0x0000002e mov eax, dword ptr [eax+0Ch] 0x00000031 jmp 00007F46848E3042h 0x00000033 test dx, dx 0x00000036 mov ecx, dword ptr [edi+00000808h] 0x0000003c jmp 00007F46848E3037h 0x0000003e mov dword ptr [eax+20h], ecx 0x00000041 jmp 00007F46848E3042h 0x00000043 cmp ah, ch 0x00000045 mov esi, dword ptr [edi+00000800h] 0x0000004b jmp 00007F46848E3042h 0x0000004d fnop 0x0000004f mov dword ptr [eax+18h], esi 0x00000052 add esi, dword ptr [edi+00000850h] 0x00000058 mov dword ptr [eax+1Ch], esi 0x0000005b jmp 00007F46848E3042h 0x0000005d pushad 0x0000005e rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 000000000100243D second address: 00000000010024DF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007F46849B7C92h 0x0000000c cmp ax, 0000D992h 0x00000010 test edx, ecx 0x00000012 cmp dword ptr [ebp+70h], 01h 0x00000016 je 00007F46849B7DFCh 0x0000001c mov esi, edi 0x0000001e add esi, 00001000h 0x00000024 xor ecx, ecx 0x00000026 push ecx 0x00000027 jmp 00007F46849B7C92h 0x00000029 test dx, dx 0x0000002c push edi 0x0000002d mov eax, ebp 0x0000002f add eax, 0000009Ch 0x00000034 push eax 0x00000035 call 00007F46849B8315h 0x0000003a jmp 00007F46849B7C92h 0x0000003c jmp 00007F46849B7C9Ah 0x0000003e test ch, ch 0x00000040 cmp dword ptr [esi+24h], E0000020h 0x00000047 je 00007F46849B7D54h 0x0000004d cmp dword ptr [esi+24h], 60000020h 0x00000054 je 00007F46849B7DC3h 0x0000005a mov ebx, 00000020h 0x0000005f jmp 00007F46849B7C96h 0x00000061 ret 0x00000062 push ebx 0x00000063 jmp 00007F46849B7C92h 0x00000065 cmp ah, ch 0x00000067 mov eax, esi 0x00000069 jmp 00007F46849B7C92h 0x0000006b fnop 0x0000006d add eax, 08h 0x00000070 push eax 0x00000071 mov eax, dword ptr [edi+00000800h] 0x00000077 jmp 00007F46849B7C92h 0x00000079 pushad 0x0000007a rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 00000000010024DF second address: 00000000010024DF instructions: |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
RDTSC instruction interceptor: First address: 0000000001002599 second address: 0000000001002599 instructions: |