Play interactive tour

Edit tour

Analysis Report V33QokMrIv.exe

Overview

General Information

Sample Name:	V33QokMrIv.exe
Analysis ID:	357184
MD5:	e18dbe57194dd717d54a907ba8e6d3e1
SHA1:	76bacc8c5fbbf675399c39c42565dfc3d77be98b
SHA256:	b5d510179ab07f09c10cfa2ea9d95346fb696afd3f642af2882b3f4cd16d3ff5
Tags:	exeGuLoader
Infos:
Most interesting Screenshot:

Detection

Nanocore GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected GuLoader

Yara detected Nanocore RAT

C2 URLs / IPs found in malware configuration

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

V33QokMrIv.exe (PID: 6352 cmdline: 'C:\Users\user\Desktop\V33QokMrIv.exe' MD5: E18DBE57194DD717D54A907BA8E6D3E1)

taskhostw.exe (PID: 6556 cmdline: taskhostw.exe None MD5: CE95E236FC9FE2D6F16C926C75B18BAF)

conhost.exe (PID: 5664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5496 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7CFF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5516 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp801C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegAsm.exe (PID: 6556 cmdline: 'C:\Users\user\Desktop\V33QokMrIv.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

RegAsm.exe (PID: 768 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0 MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 6012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 2936 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 4244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

filename1.exe (PID: 6092 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: E18DBE57194DD717D54A907BA8E6D3E1)

dhcpmon.exe (PID: 6896 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 6864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

filename1.exe (PID: 6980 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: E18DBE57194DD717D54A907BA8E6D3E1)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "92421eeb-c456-44c2-ab8d-5a66d7e5ab97", "Group": "Company", "Domain1": "194.5.98.202", "Domain2": "", "Port": 4488, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.1253583807.000000001EDB3000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: RegAsm.exe PID: 6556	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 6556	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: RegAsm.exe PID: 6556	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x92f9:$a: NanoCore 0x9326:$a: NanoCore 0x937f:$a: NanoCore 0x10b8e:$a: NanoCore 0x10ba1:$a: NanoCore 0x10bd3:$a: NanoCore 0x1a664:$a: NanoCore 0x1a691:$a: NanoCore 0x1a6ea:$a: NanoCore 0x21ef9:$a: NanoCore 0x21f0c:$a: NanoCore 0x21f3e:$a: NanoCore 0x959c8:$a: NanoCore 0x95bf2:$a: NanoCore 0xcbe10:$a: NanoCore 0x147046:$a: NanoCore 0x147270:$a: NanoCore 0x17720b:$a: NanoCore 0x1772ac:$a: NanoCore 0x177319:$a: NanoCore 0x1773da:$a: NanoCore

Unpacked PEs

Source	Rule	Description	Author	Strings
15.2.RegAsm.exe.1dd712f8.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
15.2.RegAsm.exe.1dd712f8.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
15.2.RegAsm.exe.1edc7a58.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
15.2.RegAsm.exe.1edc7a58.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
15.2.RegAsm.exe.1edc7a58.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.RegAsm.exe.1edc7a58.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
15.2.RegAsm.exe.1edc7a58.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
15.2.RegAsm.exe.1edc7a58.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.RegAsm.exe.1edcc081.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
15.2.RegAsm.exe.1edcc081.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
15.2.RegAsm.exe.1edcc081.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Click to see the 6 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 6556, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7CFF.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7CFF.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: taskhostw.exe None, ParentImage: C:\Windows\System32\taskhostw.exe, ParentProcessId: 6556, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7CFF.tmp', ProcessId: 5496

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000F.00000002.1253583807.000000001EDB3000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "92421eeb-c456-44c2-ab8d-5a66d7e5ab97", "Group": "Company", "Domain1": "194.5.98.202", "Domain2": "", "Port": 4488, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000F.00000002.1253583807.000000001EDB3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6556, type: MEMORY
Source: Yara match	File source: 15.2.RegAsm.exe.1edc7a58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegAsm.exe.1edc7a58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegAsm.exe.1edcc081.3.raw.unpack, type: UNPACKEDPE

Compliance:

Uses 32bit PE files

Show sources

Source: V33QokMrIv.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Uses new MSVCR Dlls

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Binary contains paths to debug symbols

Show sources

Source:	Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbxe2b source: RegAsm.exe, 0000000F.00000003.1174003449.0000000001554000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: RegAsm.exe, 0000000F.00000003.1174003449.0000000001554000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source:	Binary string: RegAsm.pdb source: dhcpmon.exe, dhcpmon.exe.15.dr
Source:	Binary string: indows\RegAsm.pdbpdbAsm.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: RegAsm.exe, 0000000F.00000003.1173973223.000000000150D000.00000004.00000001.sdmp
Source:	Binary string: indows\System.pdbpdbtem.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49766 -> 194.5.98.202:4488
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49767 -> 194.5.98.202:4488
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49768 -> 194.5.98.202:4488
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49769 -> 194.5.98.202:4488

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: 194.5.98.202

Source: global traffic

TCP traffic: 192.168.2.4:49766 -> 194.5.98.202:4488

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.5.98.202

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: RegAsm.exe, 0000000F.00000003.1173973223.000000000150D000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: RegAsm.exe, 0000000F.00000003.1173973223.000000000150D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: RegAsm.exe, 0000000F.00000003.1173973223.000000000150D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: RegAsm.exe, 0000000F.00000002.1191880037.00000000014AB000.00000004.00000020.sdmp	String found in binary or memory: https://ibkebw.dm.files.1drv.com/
Source: RegAsm.exe, 0000000F.00000002.1191880037.00000000014AB000.00000004.00000020.sdmp	String found in binary or memory: https://ibkebw.dm.files.1drv.com/Jep
Source: RegAsm.exe, 0000000F.00000003.1173973223.000000000150D000.00000004.00000001.sdmp, RegAsm.exe, 0000000F.00000002.1191919663.00000000014FB000.00000004.00000020.sdmp	String found in binary or memory: https://ibkebw.dm.files.1drv.com/y4m_7vjlVAP2dktIZ7ToWB_X8Tx5mpxc0CHqB4Dc4Xc8QJNrWia8ZAB0h8vRJGCEryL
Source: RegAsm.exe, 0000000F.00000002.1191880037.00000000014AB000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.1191880037.00000000014AB000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=802AC8A73EEC8C8E&resid=802AC8A73EEC8C8E%21110&authkey=AK1w6-P
Source: RegAsm.exe, 0000000F.00000002.1191880037.00000000014AB000.00000004.00000020.sdmp	String found in binary or memory: https://onedrive.live.com/zZm

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: RegAsm.exe, 0000000F.00000002.1253583807.000000001EDB3000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000F.00000002.1253583807.000000001EDB3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6556, type: MEMORY
Source: Yara match	File source: 15.2.RegAsm.exe.1edc7a58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegAsm.exe.1edc7a58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegAsm.exe.1edcc081.3.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: Process Memory Space: RegAsm.exe PID: 6556, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.RegAsm.exe.1dd712f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.RegAsm.exe.1edc7a58.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.RegAsm.exe.1edc7a58.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.RegAsm.exe.1edcc081.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth

Source: C:\Users\user\Desktop\V33QokMrIv.exe	Process Stats: CPU usage > 98%
Source: C:\Users\user\subfolder1\filename1.exe	Process Stats: CPU usage > 98%

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 15_2_0100723F NtProtectVirtualMemory,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 22_2_049101B7
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 24_2_050101B7
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 27_2_049A01C8

Source: V33QokMrIv.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: V33QokMrIv.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: V33QokMrIv.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: filename1.exe.15.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: filename1.exe.15.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: filename1.exe.15.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: V33QokMrIv.exe, 00000000.00000000.646684744.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameKARAKTERISTIKONS.exe vs V33QokMrIv.exe
Source: V33QokMrIv.exe	Binary or memory string: OriginalFilenameKARAKTERISTIKONS.exe vs V33QokMrIv.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll

Source: V33QokMrIv.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: Process Memory Space: RegAsm.exe PID: 6556, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.RegAsm.exe.1dd712f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.RegAsm.exe.1dd712f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.RegAsm.exe.1edc7a58.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.RegAsm.exe.1edc7a58.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.RegAsm.exe.1edc7a58.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.RegAsm.exe.1edc7a58.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.RegAsm.exe.1edcc081.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.RegAsm.exe.1edcc081.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.evad.winEXE@19/12@2/1

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File created: C:\Users\user\subfolder1

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6012:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5664:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5500:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4244:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{92421eeb-c456-44c2-ab8d-5a66d7e5ab97}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:120:WilError_01

Source: C:\Users\user\Desktop\V33QokMrIv.exe

File created: C:\Users\user\AppData\Local\Temp\~DF65C51E8A0EADE8B5.TMP

Jump to behavior

Source: V33QokMrIv.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\V33QokMrIv.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\subfolder1\filename1.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\subfolder1\filename1.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Users\user\Desktop\V33QokMrIv.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\V33QokMrIv.exe 'C:\Users\user\Desktop\V33QokMrIv.exe'
Source: unknown	Process created: C:\Windows\System32\taskhostw.exe taskhostw.exe None
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\V33QokMrIv.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7CFF.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp801C.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
Source: C:\Users\user\Desktop\V33QokMrIv.exe	Process created: C:\Windows\System32\taskhostw.exe taskhostw.exe None
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7CFF.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp801C.tmp'

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source:	Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbxe2b source: RegAsm.exe, 0000000F.00000003.1174003449.0000000001554000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: RegAsm.exe, 0000000F.00000003.1174003449.0000000001554000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source:	Binary string: RegAsm.pdb source: dhcpmon.exe, dhcpmon.exe.15.dr
Source:	Binary string: indows\RegAsm.pdbpdbAsm.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: RegAsm.exe, 0000000F.00000003.1173973223.000000000150D000.00000004.00000001.sdmp
Source:	Binary string: indows\System.pdbpdbtem.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6556, type: MEMORY

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_01007101 push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_01006105 push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_01004109 push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_01003109 push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_01007111 push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_01007125 push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_0100612D push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_01004135 push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_0100713D push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_01006141 push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_0100614F push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_01006159 push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_01007171 push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_01006175 push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_01003179 push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_01006185 push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_0100718D push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_01006199 push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_010061A9 push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_010031B5 push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_010061B5 push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_010071B5 push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_010071D1 push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_010061D5 push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_010031E5 push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_010041ED push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_010041F1 push FFFFFF84h; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_010071F5 push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_010041FD push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_010061FF push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_01006001 push cs; ret

Persistence and Installation Behavior:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File created: C:\Users\user\subfolder1\filename1.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7CFF.tmp'

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\V33QokMrIv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\V33QokMrIv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\V33QokMrIv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\subfolder1\filename1.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\V33QokMrIv.exe	RDTSC instruction interceptor: First address: 0000000000626160 second address: 0000000000625B62 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007FCC9C394612h 0x0000000c fnop 0x0000000e jmp 00007FCC9C394612h 0x00000010 test dl, FFFFFF9Ch 0x00000013 jmp 00007FCC9C394612h 0x00000015 test bl, bl 0x00000017 jmp 00007FCC9C394612h 0x00000019 pushad 0x0000001a mov bl, ACh 0x0000001c cmp bl, FFFFFFACh 0x0000001f jne 00007FCC9C391E83h 0x00000025 popad 0x00000026 mov eax, 00000539h 0x0000002b jmp 00007FCC9C394612h 0x0000002d cmp bx, F525h 0x00000032 mov ecx, dword ptr [ebp+1Ch] 0x00000035 mov edx, 8802EDACh 0x0000003a call 00007FCC9C393F5Fh 0x0000003f push esi 0x00000040 push edx 0x00000041 push ecx 0x00000042 jmp 00007FCC9C394612h 0x00000044 pushad 0x00000045 lfence 0x00000048 rdtsc
Source: C:\Users\user\Desktop\V33QokMrIv.exe	RDTSC instruction interceptor: First address: 0000000000623B7D second address: 0000000000623C11 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edi, edi 0x0000000c test bx, ax 0x0000000f mov ecx, 00A95F60h 0x00000014 push ecx 0x00000015 jmp 00007FCC9CA33912h 0x00000017 pushad 0x00000018 mov al, 1Eh 0x0000001a cmp al, 1Eh 0x0000001c jne 00007FCC9CA33799h 0x00000022 popad 0x00000023 call 00007FCC9CA33959h 0x00000028 call 00007FCC9CA33918h 0x0000002d lfence 0x00000030 mov edx, dword ptr [7FFE0014h] 0x00000036 lfence 0x00000039 ret 0x0000003a mov esi, edx 0x0000003c pushad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\V33QokMrIv.exe	RDTSC instruction interceptor: First address: 0000000000623C11 second address: 0000000000623C11 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FCC9C394608h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FCC9C394612h 0x00000020 test dx, cx 0x00000023 add edi, edx 0x00000025 jmp 00007FCC9C394612h 0x00000027 test bh, ah 0x00000029 dec ecx 0x0000002a cmp eax, ecx 0x0000002c cmp ecx, 00000000h 0x0000002f jne 00007FCC9C3945AAh 0x00000031 push ecx 0x00000032 jmp 00007FCC9C394612h 0x00000034 pushad 0x00000035 mov al, 1Eh 0x00000037 cmp al, 1Eh 0x00000039 jne 00007FCC9C394499h 0x0000003f popad 0x00000040 call 00007FCC9C394659h 0x00000045 call 00007FCC9C394618h 0x0000004a lfence 0x0000004d mov edx, dword ptr [7FFE0014h] 0x00000053 lfence 0x00000056 ret 0x00000057 mov esi, edx 0x00000059 pushad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\V33QokMrIv.exe	RDTSC instruction interceptor: First address: 0000000000624994 second address: 0000000000625B62 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [ebp+1Ch] 0x0000000d jmp 00007FCC9C394612h 0x0000000f test ecx, 0CA7638Eh 0x00000015 mov edx, 8B8E133Dh 0x0000001a test ebx, eax 0x0000001c call 00007FCC9C395789h 0x00000021 push esi 0x00000022 push edx 0x00000023 push ecx 0x00000024 jmp 00007FCC9C394612h 0x00000026 pushad 0x00000027 lfence 0x0000002a rdtsc
Source: C:\Users\user\Desktop\V33QokMrIv.exe	RDTSC instruction interceptor: First address: 0000000000624C68 second address: 0000000000625B62 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FCC9CA347D7h 0x0000000f push esi 0x00000010 push edx 0x00000011 push ecx 0x00000012 jmp 00007FCC9CA33912h 0x00000014 pushad 0x00000015 lfence 0x00000018 rdtsc

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\V33QokMrIv.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\V33QokMrIv.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RegAsm.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\V33QokMrIv.exe	RDTSC instruction interceptor: First address: 0000000000626160 second address: 0000000000625B62 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007FCC9C394612h 0x0000000c fnop 0x0000000e jmp 00007FCC9C394612h 0x00000010 test dl, FFFFFF9Ch 0x00000013 jmp 00007FCC9C394612h 0x00000015 test bl, bl 0x00000017 jmp 00007FCC9C394612h 0x00000019 pushad 0x0000001a mov bl, ACh 0x0000001c cmp bl, FFFFFFACh 0x0000001f jne 00007FCC9C391E83h 0x00000025 popad 0x00000026 mov eax, 00000539h 0x0000002b jmp 00007FCC9C394612h 0x0000002d cmp bx, F525h 0x00000032 mov ecx, dword ptr [ebp+1Ch] 0x00000035 mov edx, 8802EDACh 0x0000003a call 00007FCC9C393F5Fh 0x0000003f push esi 0x00000040 push edx 0x00000041 push ecx 0x00000042 jmp 00007FCC9C394612h 0x00000044 pushad 0x00000045 lfence 0x00000048 rdtsc
Source: C:\Users\user\Desktop\V33QokMrIv.exe	RDTSC instruction interceptor: First address: 0000000000623B7D second address: 0000000000623C11 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edi, edi 0x0000000c test bx, ax 0x0000000f mov ecx, 00A95F60h 0x00000014 push ecx 0x00000015 jmp 00007FCC9CA33912h 0x00000017 pushad 0x00000018 mov al, 1Eh 0x0000001a cmp al, 1Eh 0x0000001c jne 00007FCC9CA33799h 0x00000022 popad 0x00000023 call 00007FCC9CA33959h 0x00000028 call 00007FCC9CA33918h 0x0000002d lfence 0x00000030 mov edx, dword ptr [7FFE0014h] 0x00000036 lfence 0x00000039 ret 0x0000003a mov esi, edx 0x0000003c pushad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\V33QokMrIv.exe	RDTSC instruction interceptor: First address: 0000000000623C11 second address: 0000000000623C11 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FCC9C394608h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FCC9C394612h 0x00000020 test dx, cx 0x00000023 add edi, edx 0x00000025 jmp 00007FCC9C394612h 0x00000027 test bh, ah 0x00000029 dec ecx 0x0000002a cmp eax, ecx 0x0000002c cmp ecx, 00000000h 0x0000002f jne 00007FCC9C3945AAh 0x00000031 push ecx 0x00000032 jmp 00007FCC9C394612h 0x00000034 pushad 0x00000035 mov al, 1Eh 0x00000037 cmp al, 1Eh 0x00000039 jne 00007FCC9C394499h 0x0000003f popad 0x00000040 call 00007FCC9C394659h 0x00000045 call 00007FCC9C394618h 0x0000004a lfence 0x0000004d mov edx, dword ptr [7FFE0014h] 0x00000053 lfence 0x00000056 ret 0x00000057 mov esi, edx 0x00000059 pushad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\V33QokMrIv.exe	RDTSC instruction interceptor: First address: 0000000000623EAA second address: 0000000000623EAA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FCC9CA35FE6h 0x0000001d popad 0x0000001e call 00007FCC9CA33971h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\V33QokMrIv.exe	RDTSC instruction interceptor: First address: 0000000000624994 second address: 0000000000625B62 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [ebp+1Ch] 0x0000000d jmp 00007FCC9C394612h 0x0000000f test ecx, 0CA7638Eh 0x00000015 mov edx, 8B8E133Dh 0x0000001a test ebx, eax 0x0000001c call 00007FCC9C395789h 0x00000021 push esi 0x00000022 push edx 0x00000023 push ecx 0x00000024 jmp 00007FCC9C394612h 0x00000026 pushad 0x00000027 lfence 0x0000002a rdtsc
Source: C:\Users\user\Desktop\V33QokMrIv.exe	RDTSC instruction interceptor: First address: 0000000000624C68 second address: 0000000000625B62 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FCC9CA347D7h 0x0000000f push esi 0x00000010 push edx 0x00000011 push ecx 0x00000012 jmp 00007FCC9CA33912h 0x00000014 pushad 0x00000015 lfence 0x00000018 rdtsc
Source: C:\Users\user\Desktop\V33QokMrIv.exe	RDTSC instruction interceptor: First address: 0000000000625860 second address: 00000000006259B9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007FCC9C394612h 0x0000000e test edx, eax 0x00000010 push ecx 0x00000011 push eax 0x00000012 push dword ptr [ebp+00000110h] 0x00000018 call 00007FCC9C394713h 0x0000001d mov ecx, dword ptr [esp+0Ch] 0x00000021 mov edx, dword ptr [esp+08h] 0x00000025 jmp 00007FCC9C394612h 0x00000027 pushad 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001003EAA second address: 0000000001003EAA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FCC9CA35FE6h 0x0000001d popad 0x0000001e call 00007FCC9CA33971h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001001FFF second address: 00000000010059B9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov dword ptr [edi+00000818h], eax 0x00000011 jmp 00007FCC9C394612h 0x00000013 test bh, dh 0x00000015 mov ebx, dword ptr [edi+3Ch] 0x00000018 add ebx, 000000F8h 0x0000001e mov dword ptr [edi+00000810h], ebx 0x00000024 mov esi, edi 0x00000026 jmp 00007FCC9C394612h 0x00000028 cmp cx, AB77h 0x0000002d add esi, 00001000h 0x00000033 xor edx, edx 0x00000035 push edx 0x00000036 push ebx 0x00000037 push 00000028h 0x00000039 jmp 00007FCC9C394612h 0x0000003b cmp bl, al 0x0000003d mov eax, dword ptr [ebp+20h] 0x00000040 add eax, ebx 0x00000042 push eax 0x00000043 test ax, cx 0x00000046 push esi 0x00000047 call 00007FCC9C397F25h 0x0000004c mov ecx, dword ptr [esp+0Ch] 0x00000050 mov edx, dword ptr [esp+08h] 0x00000054 jmp 00007FCC9C394612h 0x00000056 pushad 0x00000057 lfence 0x0000005a rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 00000000010022AC second address: 00000000010059B9 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov dword ptr [ebp+10h], 00000000h 0x0000000a mov dword ptr [ebp+14h], 00000000h 0x00000011 cmp dword ptr [edi+00000814h], 00000000h 0x00000018 je 00007FCC9CA33B5Eh 0x0000001e jmp 00007FCC9CA33912h 0x00000020 cmp bl, al 0x00000022 test ax, cx 0x00000025 jmp 00007FCC9CA33912h 0x00000027 pushad 0x00000028 mov bx, 1417h 0x0000002c cmp bx, 1417h 0x00000031 jne 00007FCC9CA31BADh 0x00000037 popad 0x00000038 test dh, ch 0x0000003a push ecx 0x0000003b cmp edx, edx 0x0000003d mov esi, dword ptr [edi+00000814h] 0x00000043 mov eax, dword ptr [edi+00000800h] 0x00000049 add eax, esi 0x0000004b add eax, ecx 0x0000004d push 00000014h 0x0000004f push eax 0x00000050 mov ebx, edi 0x00000052 add ebx, 00000C00h 0x00000058 push ebx 0x00000059 call 00007FCC9CA36F76h 0x0000005e mov ecx, dword ptr [esp+0Ch] 0x00000062 mov edx, dword ptr [esp+08h] 0x00000066 jmp 00007FCC9CA33912h 0x00000068 pushad 0x00000069 lfence 0x0000006c rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 15_2_01002990 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Window / User API: foregroundWindowGot 556

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5808	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5804	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6148	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6376	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6820	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: RegAsm.exe, 0000000F.00000002.1191919663.00000000014FB000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 0000000F.00000002.1191908435.00000000014F0000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWen-USn
Source: RegAsm.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process information queried: ProcessInformation

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\V33QokMrIv.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\V33QokMrIv.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 15_2_01002990 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 15_2_01004DA1 LdrInitializeThunk,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_01006010 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_010039D3 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_010039F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_01006B11 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_01006B25 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_01005A40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_01006AB7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_01006AC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_01006AF1 mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\V33QokMrIv.exe

Memory written: C:\Windows\System32\taskhostw.exe base: 1000000

Source: C:\Users\user\Desktop\V33QokMrIv.exe	Process created: C:\Windows\System32\taskhostw.exe taskhostw.exe None
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7CFF.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp801C.tmp'

Source: RegAsm.exe, 0000000F.00000002.1192015059.0000000001930000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 0000000F.00000002.1192015059.0000000001930000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000000F.00000002.1192015059.0000000001930000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 0000000F.00000002.1192015059.0000000001930000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: RegAsm.exe, 0000000F.00000002.1191997352.000000000158D000.00000004.00000001.sdmp	Binary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exe

Language, Device and Operating System Detection:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 15_2_010029AD cpuid

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000F.00000002.1253583807.000000001EDB3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6556, type: MEMORY
Source: Yara match	File source: 15.2.RegAsm.exe.1edc7a58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegAsm.exe.1edc7a58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegAsm.exe.1edcc081.3.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: RegAsm.exe, 0000000F.00000002.1253583807.000000001EDB3000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 0000000F.00000002.1213259233.000000001DD61000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000F.00000002.1253583807.000000001EDB3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6556, type: MEMORY
Source: Yara match	File source: 15.2.RegAsm.exe.1edc7a58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegAsm.exe.1edc7a58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegAsm.exe.1edcc081.3.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection112	Masquerading2	Input Capture11	Security Software Discovery521	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Registry Run Keys / Startup Folder1	Scheduled Task/Job1	Virtualization/Sandbox Evasion23	LSASS Memory	Virtualization/Sandbox Evasion23	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	DLL Side-Loading1	Registry Run Keys / Startup Folder1	Disable or Modify Tools1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	DLL Side-Loading1	Process Injection112	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	System Information Discovery212	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
V33QokMrIv.exe	9%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Metadefender		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs
C:\Users\user\subfolder1\filename1.exe	9%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
	0%	Avira URL Cloud	safe
194.5.98.202	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
onedrive.live.com	unknown	unknown	false		high
ibkebw.dm.files.1drv.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
194.5.98.202	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://ibkebw.dm.files.1drv.com/	RegAsm.exe, 0000000F.00000002.1191880037.00000000014AB000.00000004.00000020.sdmp	false	high
https://onedrive.live.com/download?cid=802AC8A73EEC8C8E&resid=802AC8A73EEC8C8E%21110&authkey=AK1w6-P	RegAsm.exe, RegAsm.exe, 0000000F.00000002.1191880037.00000000014AB000.00000004.00000020.sdmp	false	high
https://onedrive.live.com/zZm	RegAsm.exe, 0000000F.00000002.1191880037.00000000014AB000.00000004.00000020.sdmp	false	high
https://ibkebw.dm.files.1drv.com/y4m_7vjlVAP2dktIZ7ToWB_X8Tx5mpxc0CHqB4Dc4Xc8QJNrWia8ZAB0h8vRJGCEryL	RegAsm.exe, 0000000F.00000003.1173973223.000000000150D000.00000004.00000001.sdmp, RegAsm.exe, 0000000F.00000002.1191919663.00000000014FB000.00000004.00000020.sdmp	false	high
https://onedrive.live.com/	RegAsm.exe, 0000000F.00000002.1191880037.00000000014AB000.00000004.00000020.sdmp	false	high
https://ibkebw.dm.files.1drv.com/Jep	RegAsm.exe, 0000000F.00000002.1191880037.00000000014AB000.00000004.00000020.sdmp	false	high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.98.202	unknown	Netherlands		208476	DANILENKODE	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	357184
Start date:	24.02.2021
Start time:	09:23:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 23s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	V33QokMrIv.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@19/12@2/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 93% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 52.113.196.254, 13.107.3.254, 13.64.90.137, 52.255.188.83, 13.88.21.125, 51.104.139.180, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247, 13.107.43.13, 13.107.43.12, 20.190.160.6, 20.190.160.75, 20.190.160.69, 20.190.160.134, 20.190.160.132, 20.190.160.71, 20.190.160.73, 20.190.160.136, 51.11.168.232 Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, odc-dm-files-geo.onedrive.akadns.net, arc.msn.com.nsatc.net, s-ring.msedge.net, www.tm.lg.prod.aadmsa.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, l-0004.dc-msedge.net, www.tm.a.prd.aadg.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, teams-9999.teams-msedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, odc-dm-files.onedrive.akadns.net.l-0003.dc-msedge.net.l-0003.l-msedge.net, ams2.next.a.prd.aadg.trafficmanager.net, login.live.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, odc-dm-files-brs.onedrive.akadns.net, odc-web-geo.onedrive.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, l-0003.dc-msedge.net, settings-win.data.microsoft.com, s-ring.s-9999.s-msedge.net, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, s-9999.s-msedge.net, blobcollector.events.data.trafficmanager.net, teams-ring.teams-9999.teams-msedge.net, teams-ring.msedge.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/357184/sample/V33QokMrIv.exe

Simulations

Behavior and APIs

Time	Type	Description
09:26:25	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\subfolder1\filename1.exe
09:26:29	Task Scheduler	Run new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" s>$(Arg0)
09:26:29	API Interceptor	666x Sleep call for process: RegAsm.exe modified
09:26:30	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
09:26:33	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
09:26:41	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\subfolder1\filename1.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
194.5.98.202	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DANILENKODE	3Fv4j323nj.exe	Get hash	malicious	Browse	194.5.98.182
	scan09e8902093922023ce.exe	Get hash	malicious	Browse	194.5.98.46
	PO AAN2102002-V020.doc	Get hash	malicious	Browse	194.5.98.182
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse	194.5.98.202
	neue bestellung.PDF.exe	Get hash	malicious	Browse	194.5.97.48
	Orderoffer.exe	Get hash	malicious	Browse	194.5.98.66
	neue bestellung.PDF.exe	Get hash	malicious	Browse	194.5.97.48
	OrderSuppliesQuote0817916.exe	Get hash	malicious	Browse	194.5.97.248
	DHL_6368638172 documento de recibo,pdf.exe	Get hash	malicious	Browse	194.5.97.244
	QuotationInvoices.exe	Get hash	malicious	Browse	194.5.97.248
	PAYMENT_.EXE	Get hash	malicious	Browse	194.5.98.211
	payment.exe	Get hash	malicious	Browse	194.5.98.66
	RFQ_1101983736366355 1101938377388.exe	Get hash	malicious	Browse	194.5.98.21
	Slip copy .xls.exe	Get hash	malicious	Browse	194.5.97.116
	Scan0059.pdf.exe	Get hash	malicious	Browse	194.5.97.34
	DHL AWB # 6008824216.png.exe	Get hash	malicious	Browse	194.5.97.48
	Scan0019.exe	Get hash	malicious	Browse	194.5.97.34
	PurchaseOrdersCSTtyres004786587.exe	Get hash	malicious	Browse	194.5.97.248
	Invoice467972.jar	Get hash	malicious	Browse	194.5.97.18
	Invoice467972.jar	Get hash	malicious	Browse	194.5.97.18

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	3Fv4j323nj.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Razy.845229.13077.exe	Get hash	malicious	Browse
	document.exe	Get hash	malicious	Browse
	w0JlVAbpIT.exe	Get hash	malicious	Browse
	Bjdl7RO0K8.exe	Get hash	malicious	Browse
	4hW0TZqN01.exe	Get hash	malicious	Browse
	d4e475d7d17a16be8b9eeac6e10b25af.exe	Get hash	malicious	Browse
	e5bd3238d220c97cd4d6969abb3b33e0.exe	Get hash	malicious	Browse
	1c2dec9cbfcd95afe13bf71910fdf95f.exe	Get hash	malicious	Browse
	Xf6v0G2wIM.exe	Get hash	malicious	Browse
	jztWD1iKrC.exe	Get hash	malicious	Browse
	wH22vdkhhU.exe	Get hash	malicious	Browse
	AqpOn6nwXS.exe	Get hash	malicious	Browse
	CklrD7MYX2.exe	Get hash	malicious	Browse
	FahZG6Pdc4.exe	Get hash	malicious	Browse
	61WlCsQR9Q.exe	Get hash	malicious	Browse
	U7DiqWP9qu.exe	Get hash	malicious	Browse
	d4x5rI09A7.exe	Get hash	malicious	Browse
	1WW425NrsA.exe	Get hash	malicious	Browse
	Kyd6mztyQ5.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	4.490095782293901
Encrypted:	false
SSDEEP:	768:0P2Bbv+VazyoD2z9TU//1mz1+M9GnLEu+2wTFRJS8Ulg:HJv46yoD2BTNz1+M9GLfOw8UO
MD5:	529695608EAFBED00ACA9E61EF333A7C
SHA1:	68CA8B6D8E74FA4F4EE603EB862E36F2A73BC1E5
SHA-256:	44F129DE312409D8A2DF55F655695E1D48D0DB6F20C5C7803EB0032D8E6B53D0
SHA-512:	8FE476E0185B2B0C66F34E51899B932CB35600C753D36FE102BDA5894CDAA58410044E0A30FDBEF76A285C2C75018D7C5A9BA0763D45EC605C2BBD1EBB9ED674
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 3Fv4j323nj.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Razy.845229.13077.exe, Detection: malicious, Browse Filename: document.exe, Detection: malicious, Browse Filename: w0JlVAbpIT.exe, Detection: malicious, Browse Filename: Bjdl7RO0K8.exe, Detection: malicious, Browse Filename: 4hW0TZqN01.exe, Detection: malicious, Browse Filename: d4e475d7d17a16be8b9eeac6e10b25af.exe, Detection: malicious, Browse Filename: e5bd3238d220c97cd4d6969abb3b33e0.exe, Detection: malicious, Browse Filename: 1c2dec9cbfcd95afe13bf71910fdf95f.exe, Detection: malicious, Browse Filename: Xf6v0G2wIM.exe, Detection: malicious, Browse Filename: jztWD1iKrC.exe, Detection: malicious, Browse Filename: wH22vdkhhU.exe, Detection: malicious, Browse Filename: AqpOn6nwXS.exe, Detection: malicious, Browse Filename: CklrD7MYX2.exe, Detection: malicious, Browse Filename: FahZG6Pdc4.exe, Detection: malicious, Browse Filename: 61WlCsQR9Q.exe, Detection: malicious, Browse Filename: U7DiqWP9qu.exe, Detection: malicious, Browse Filename: d4x5rI09A7.exe, Detection: malicious, Browse Filename: 1WW425NrsA.exe, Detection: malicious, Browse Filename: Kyd6mztyQ5.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z..................... .......... ........@.. ..............................N.....@.....................................O................................... ................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	20
Entropy (8bit):	3.6841837197791887
Encrypted:	false
SSDEEP:	3:QHXMKas:Q3Las
MD5:	B3AC9D09E3A47D5FD00C37E075A70ECB
SHA1:	AD14E6D0E07B00BD10D77A06D68841B20675680B
SHA-256:	7A23C6E7CCD8811ECDF038D3A89D5C7D68ED37324BAE2D4954125D9128FA9432
SHA-512:	09B609EE1061205AA45B3C954EFC6C1A03C8FD6B3011FF88CF2C060E19B1D7FD51EE0CB9D02A39310125F3A66AA0146261BDEE3D804F472034DF711BC942E316
Malicious:	true
Preview:	1,"fusion","GAC",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	20
Entropy (8bit):	3.6841837197791887
Encrypted:	false
SSDEEP:	3:QHXMKas:Q3Las
MD5:	B3AC9D09E3A47D5FD00C37E075A70ECB
SHA1:	AD14E6D0E07B00BD10D77A06D68841B20675680B
SHA-256:	7A23C6E7CCD8811ECDF038D3A89D5C7D68ED37324BAE2D4954125D9128FA9432
SHA-512:	09B609EE1061205AA45B3C954EFC6C1A03C8FD6B3011FF88CF2C060E19B1D7FD51EE0CB9D02A39310125F3A66AA0146261BDEE3D804F472034DF711BC942E316
Malicious:	false
Preview:	1,"fusion","GAC",0..

C:\Users\user\AppData\Local\Temp\tmp7CFF.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1319
Entropy (8bit):	5.133606110275315
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mne5xtn:cbk4oL600QydbQxIYODOLedq3Ze5j
MD5:	C6F0625BF4C1CDFB699980C9243D3B22
SHA1:	43DE1FE580576935516327F17B5DA0C656C72851
SHA-256:	8DFC4E937F0B2374E3CED25FCE344B0731CF44B8854625B318D50ECE2DA8F576
SHA-512:	9EF2DBD4142AD0E1E6006929376ECB8011E7FFC801EE2101E906787D70325AD82752DF65839DE9972391FA52E1E5974EC1A5C7465A88AA56257633EBB7D70969
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp801C.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	928
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	24:IQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUtw:Ik/lCrwfk/lCrwfk/lCrwfk/lCrw8
MD5:	CCB690520E68EE385ACC0ACFE759AFFC
SHA1:	33F0DA3F55E5B3C5AC19B61D31471CB60BCD5C96
SHA-256:	166154225DAB5FCB79C1CA97D371B159D37B83FBC0ADABCD8EBA98FA113A7A3B
SHA-512:	AC4F3CF1F8F460745D37E6350861C2FBCDDCC1BBDE0A48FB361BFBF5B1EBF10A05F798A72CE413FCA073FF8108955353DDBCBD9D50CED6CDAE231C67A28FDDA3
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:zTn:zTn
MD5:	92E49A758034CCCB53F7E0C2540D8D1F
SHA1:	A110CF375A1151871163162E42572DB30665F4DD
SHA-256:	C7CB3AE57F1E7A86EDD4CBBB313AB5E1BDF253C6205AB1B2188DD27F44C6D11C
SHA-512:	376B05470948B965687BD787F2FF2A81B62F2D3157FD9213DD2D885453FE05FBFB0E6B4EF3F71774B6CA1A9AEE215DA5756F3E679C075B89D112E9225D055128
Malicious:	true
Preview:	3YR...H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	56
Entropy (8bit):	4.787365359936823
Encrypted:	false
SSDEEP:	3:oMty8WbSXgL4A:oMLWuQL4A
MD5:	EFD1636CFC3CC38FD7BABAE5CAC9EDE0
SHA1:	4D7D378ABEB682EEFBD039930C0EA996FBF54178
SHA-256:	F827D5B11C1EB3902D601C3E0B59BA32FE11C0B573FBF22FB2AF86BFD4651BBA
SHA-512:	69B2B0AB1A6E13395EF52DCB903B8E17D842E6D0D44F801FF2659CFD5EC343C8CC57928B02961FC7099AD43FF05633BAF5AC39042A00C8676D4FA8F6F8C2A5D7
Malicious:	false
Preview:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

C:\Users\user\subfolder1\filename1.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	4.886067635976852
Encrypted:	false
SSDEEP:	1536:uWWTwV4fVhuoUaaAAwT4uv65YEWDTkIlmak5AEivuxVQwV4MjW:2wVUPOpUlviYEWnkIlmak5zivQqwV
MD5:	E18DBE57194DD717D54A907BA8E6D3E1
SHA1:	76BACC8C5FBBF675399C39C42565DFC3D77BE98B
SHA-256:	B5D510179AB07F09C10CFA2EA9D95346FB696AFD3F642AF2882B3F4CD16D3FF5
SHA-512:	B5B4064FB475590E7EBFA51857117E5C8DAC0C98402809856CD17CF40EDBF455A28ECAB9BD4B431997C50AC1767AB7724F79ED356C33690AA9CB2DCDF38F7968
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.....0...~..0......0...Rich1...........PE..L....bW.................P...................`....@.........................................................................tY..(....p......................................................................(... ....................................text....M.......P.................. ..`.data........`.......`..............@....rsrc........p.......p..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1010
Entropy (8bit):	4.298581893109255
Encrypted:	false
SSDEEP:	24:zKTDwL/0XZd3Wo3opQ5ZKBQFYVgt7ovrNOYlK:zKTDwAXZxo4ABV+SrUYE
MD5:	367EEEC425FE7E80B723298C447E2F22
SHA1:	3873DFC88AF504FF79231FE2BF0E3CD93CE45195
SHA-256:	481A7A3CA0DD32DA4772718BA4C1EF3F01E8D184FE82CF6E9C5386FD343264BC
SHA-512:	F7101541D87F045E9DBC45941CDC5A7F97F3EFC29AC0AF2710FC24FA64F0163F9463DE373A5D2BE1270126829DE81006FB8E764186374966E8D0E9BB35B7D7D6
Malicious:	false
Preview:	Microsoft (R) .NET Framework Assembly Registration Utility 2.0.50727.8922..Copyright (C) Microsoft Corporation 1998-2004. All rights reserved.....Syntax: RegAsm AssemblyName [Options]..Options:.. /unregister Unregister types.. /tlb[:FileName] Export the assembly to the specified type library.. and register it.. /regfile[:FileName] Generate a reg file with the specified name.. instead of registering the types. This option.. cannot be used with the /u or /tlb options.. /codebase Set the code base in the registry.. /registered Only refer to already registered type libraries.. /asmpath:Directory Look for assembly references here.. /nologo Prevents RegAsm from displaying logo.. /silent Silent mode. Prevents displaying of success messages.. /verbose Displays extra information.. /? or /help Display this usage

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.886067635976852
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	V33QokMrIv.exe
File size:	131072
MD5:	e18dbe57194dd717d54a907ba8e6d3e1
SHA1:	76bacc8c5fbbf675399c39c42565dfc3d77be98b
SHA256:	b5d510179ab07f09c10cfa2ea9d95346fb696afd3f642af2882b3f4cd16d3ff5
SHA512:	b5b4064fb475590e7ebfa51857117e5c8dac0c98402809856cd17cf40edbf455a28ecab9bd4b431997c50ac1767ab7724f79ed356c33690aa9cb2dcdf38f7968
SSDEEP:	1536:uWWTwV4fVhuoUaaAAwT4uv65YEWDTkIlmak5AEivuxVQwV4MjW:2wVUPOpUlviYEWnkIlmak5zivQqwV
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L.....bW.................P...................`....@................

File Icon


Icon Hash:	01d292796dda0080

Static PE Info

General
Entrypoint:	0x4013dc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x57629AC2 [Thu Jun 16 12:25:38 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	cc882d101998a701353b40b0cd8c341a

Entrypoint Preview

Instruction
push 00412778h
call 00007FCC9CB3C453h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
cdq
push edx
movsd
inc esp
pop edi
test al, 15h
inc esp
cdq
das
xchg eax, ecx
mov al, byte ptr [1610F6ADh]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
xor cl, byte ptr [7061430Ah]
push esi
inc ecx
push edx
inc ebp
push esp
dec edi
inc edi
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
add al, 8Fh
outsd
mov edx, 7A63B091h
inc edi
sbb dword ptr [eax+2FFB4570h], FFFFFFC3h
int 7Bh
cdq
adc ch, 00000022h
xchg dword ptr [edx+4Fh], esi
mov bl, 6Ch
out dx, al
xor byte ptr [ecx], al
push es
jle 00007FCC9CB3C3EDh
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov eax, dword ptr [A5000112h]
jnle 00007FCC9CB3C462h
add byte ptr [eax], al
adc al, byte ptr [eax]
push esp
push ebp
inc edx
inc ebp
push edx
inc ebx
push ebp
dec esp
inc ecx
push esp
dec edi
push ebx
push eax
dec ecx
dec esi
dec edi
push ebp
push ebx
add byte ptr [42000A01h], cl
jne 00007FCC9CB3C4D0h
add byte ptr fs:[eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x15974	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17000	0x83f6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xe0	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14da4	0x15000	False	0.404203869048	data	5.57673610906	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x16000	0xa18	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x17000	0x83f6	0x9000	False	0.340494791667	data	3.53320400461	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x1f2ce	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x1dca6	0x1628	dBase IV DBT of \200.DBF, blocks size 0, block length 4608, next free block index 40, next free block 0, next used block 0
RT_ICON	0x1bffe	0x1ca8	data
RT_ICON	0x1b356	0xca8	data
RT_ICON	0x1afee	0x368	GLS_BINARY_LSB_FIRST
RT_ICON	0x18a46	0x25a8	data
RT_ICON	0x1799e	0x10a8	data
RT_ICON	0x17536	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x174c0	0x76	data
RT_VERSION	0x17240	0x280	data

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaLateMemCall, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0000 0x04b0
InternalName	KARAKTERISTIKONS
FileVersion	1.00
CompanyName	Sinth Radio
ProductName	Sinth Radio
ProductVersion	1.00
FileDescription	Sinth Radio
OriginalFilename	KARAKTERISTIKONS.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/24/21-09:26:30.194652	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49766	4488	192.168.2.4	194.5.98.202
02/24/21-09:26:36.466553	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49767	4488	192.168.2.4	194.5.98.202
02/24/21-09:26:42.713931	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49768	4488	192.168.2.4	194.5.98.202
02/24/21-09:26:49.051394	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49769	4488	192.168.2.4	194.5.98.202

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2021 09:26:29.759485960 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:30.072976112 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:30.073151112 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:30.194652081 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:30.519912004 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:30.520106077 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:30.579900026 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:30.621732950 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:30.817673922 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:30.817770004 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:31.072177887 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:31.072329998 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:31.379748106 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:31.379842043 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:31.865875959 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:31.865948915 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:31.897878885 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:31.897898912 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:31.897965908 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:31.898910046 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:31.898935080 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:31.898964882 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:31.898991108 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:31.900007010 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:31.900026083 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:31.900054932 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:31.900068998 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:31.900100946 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:31.900779963 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:31.900842905 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:31.900964975 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:31.900985003 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:31.901024103 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:31.901043892 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.147021055 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.147356033 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.148334980 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.148435116 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.155035973 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.155081987 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.155155897 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.155174017 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.157094955 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.157135010 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.157166004 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.157191038 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.157259941 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.157358885 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.158186913 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.158226013 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.158242941 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.158289909 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.158941984 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.158981085 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.158999920 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.159012079 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.159029007 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.159085035 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.159105062 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.159154892 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.160456896 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.160502911 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.160518885 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.160587072 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.160630941 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.160686016 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.161052942 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.161092043 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.161123991 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.161134958 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.163206100 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.163245916 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.163291931 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.163326979 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.186757088 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.428322077 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.428378105 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.428481102 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.428503990 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.428936958 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.429208994 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.429279089 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.430398941 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.430552959 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.430603981 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.430718899 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.431397915 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.431442976 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.431495905 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.432112932 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.432153940 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.432179928 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.432225943 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.434156895 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.434190035 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.434241056 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.434262037 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.434284925 CET	4488	49766	194.5.98.202	192.168.2.4
Feb 24, 2021 09:26:32.434326887 CET	49766	4488	192.168.2.4	194.5.98.202
Feb 24, 2021 09:26:32.434345007 CET	4488	49766	194.5.98.202	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2021 09:24:01.168829918 CET	49714	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:24:01.217495918 CET	53	49714	8.8.8.8	192.168.2.4
Feb 24, 2021 09:24:01.496834040 CET	58028	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:24:01.545589924 CET	53	58028	8.8.8.8	192.168.2.4
Feb 24, 2021 09:24:02.737222910 CET	53097	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:24:02.789077044 CET	53	53097	8.8.8.8	192.168.2.4
Feb 24, 2021 09:24:03.904197931 CET	49257	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:24:03.954843998 CET	53	49257	8.8.8.8	192.168.2.4
Feb 24, 2021 09:24:04.748075962 CET	62389	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:24:04.799927950 CET	53	62389	8.8.8.8	192.168.2.4
Feb 24, 2021 09:24:06.179506063 CET	49910	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:24:06.228266954 CET	53	49910	8.8.8.8	192.168.2.4
Feb 24, 2021 09:24:07.560776949 CET	55854	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:24:07.622188091 CET	53	55854	8.8.8.8	192.168.2.4
Feb 24, 2021 09:24:08.894939899 CET	64549	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:24:08.949863911 CET	53	64549	8.8.8.8	192.168.2.4
Feb 24, 2021 09:24:11.116444111 CET	63153	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:24:11.166915894 CET	53	63153	8.8.8.8	192.168.2.4
Feb 24, 2021 09:24:17.570039988 CET	52991	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:24:17.618900061 CET	53	52991	8.8.8.8	192.168.2.4
Feb 24, 2021 09:24:28.313499928 CET	53700	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:24:28.365087986 CET	53	53700	8.8.8.8	192.168.2.4
Feb 24, 2021 09:24:29.132186890 CET	51726	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:24:29.184046984 CET	53	51726	8.8.8.8	192.168.2.4
Feb 24, 2021 09:24:30.045975924 CET	56794	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:24:30.095005989 CET	53	56794	8.8.8.8	192.168.2.4
Feb 24, 2021 09:24:30.917124033 CET	56534	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:24:30.967005968 CET	53	56534	8.8.8.8	192.168.2.4
Feb 24, 2021 09:24:32.215751886 CET	56627	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:24:32.267752886 CET	53	56627	8.8.8.8	192.168.2.4
Feb 24, 2021 09:24:32.378673077 CET	56621	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:24:32.427474976 CET	53	56621	8.8.8.8	192.168.2.4
Feb 24, 2021 09:24:33.902875900 CET	63116	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:24:33.951662064 CET	53	63116	8.8.8.8	192.168.2.4
Feb 24, 2021 09:24:35.413022995 CET	64078	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:24:35.465909004 CET	53	64078	8.8.8.8	192.168.2.4
Feb 24, 2021 09:24:41.079289913 CET	64801	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:24:41.127976894 CET	53	64801	8.8.8.8	192.168.2.4
Feb 24, 2021 09:24:42.642734051 CET	61721	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:24:42.692765951 CET	53	61721	8.8.8.8	192.168.2.4
Feb 24, 2021 09:24:46.903964043 CET	51255	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:24:46.955904961 CET	53	51255	8.8.8.8	192.168.2.4
Feb 24, 2021 09:24:59.856170893 CET	61522	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:24:59.931910038 CET	53	61522	8.8.8.8	192.168.2.4
Feb 24, 2021 09:25:00.631495953 CET	52337	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:25:00.732729912 CET	53	52337	8.8.8.8	192.168.2.4
Feb 24, 2021 09:25:01.512803078 CET	55046	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:25:01.581609964 CET	53	55046	8.8.8.8	192.168.2.4
Feb 24, 2021 09:25:02.044190884 CET	49612	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:25:02.101701021 CET	53	49612	8.8.8.8	192.168.2.4
Feb 24, 2021 09:25:02.605772972 CET	49285	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:25:02.663177967 CET	53	49285	8.8.8.8	192.168.2.4
Feb 24, 2021 09:25:03.188625097 CET	50601	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:25:03.251790047 CET	53	50601	8.8.8.8	192.168.2.4
Feb 24, 2021 09:25:03.889224052 CET	60875	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:25:03.937957048 CET	53	60875	8.8.8.8	192.168.2.4
Feb 24, 2021 09:25:04.678129911 CET	56448	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:25:04.744019032 CET	53	56448	8.8.8.8	192.168.2.4
Feb 24, 2021 09:25:05.883210897 CET	59172	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:25:05.946980000 CET	53	59172	8.8.8.8	192.168.2.4
Feb 24, 2021 09:25:06.425657034 CET	62420	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:25:06.499449968 CET	53	62420	8.8.8.8	192.168.2.4
Feb 24, 2021 09:25:06.626337051 CET	60579	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:25:06.692455053 CET	53	60579	8.8.8.8	192.168.2.4
Feb 24, 2021 09:25:14.779095888 CET	50183	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:25:14.838089943 CET	53	50183	8.8.8.8	192.168.2.4
Feb 24, 2021 09:25:42.622454882 CET	61531	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:25:42.673011065 CET	53	61531	8.8.8.8	192.168.2.4
Feb 24, 2021 09:25:46.251863003 CET	49228	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:25:46.320204020 CET	53	49228	8.8.8.8	192.168.2.4
Feb 24, 2021 09:26:25.442338943 CET	59794	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:26:25.502111912 CET	53	59794	8.8.8.8	192.168.2.4
Feb 24, 2021 09:26:26.115159035 CET	55916	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:26:26.206942081 CET	53	55916	8.8.8.8	192.168.2.4
Feb 24, 2021 09:28:59.089103937 CET	52752	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:28:59.142637968 CET	53	52752	8.8.8.8	192.168.2.4
Feb 24, 2021 09:29:00.463768959 CET	60542	53	192.168.2.4	8.8.8.8
Feb 24, 2021 09:29:00.531222105 CET	53	60542	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 24, 2021 09:26:25.442338943 CET	192.168.2.4	8.8.8.8	0x20d9	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Feb 24, 2021 09:26:26.115159035 CET	192.168.2.4	8.8.8.8	0x936	Standard query (0)	ibkebw.dm.files.1drv.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Type	Class
Feb 24, 2021 09:26:25.502111912 CET	8.8.8.8	192.168.2.4	0x20d9	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net	CNAME (Canonical name)	IN (0x0001)
Feb 24, 2021 09:26:26.206942081 CET	8.8.8.8	192.168.2.4	0x936	No error (0)	ibkebw.dm.files.1drv.com	dm-files.fe.1drv.com	CNAME (Canonical name)	IN (0x0001)
Feb 24, 2021 09:26:26.206942081 CET	8.8.8.8	192.168.2.4	0x936	No error (0)	dm-files.fe.1drv.com	odc-dm-files-geo.onedrive.akadns.net	CNAME (Canonical name)	IN (0x0001)
Feb 24, 2021 09:28:59.142637968 CET	8.8.8.8	192.168.2.4	0xf14e	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net	CNAME (Canonical name)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: V33QokMrIv.exe PID: 6352 Parent PID: 5976

General

Start time:	09:24:09
Start date:	24/02/2021
Path:	C:\Users\user\Desktop\V33QokMrIv.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\V33QokMrIv.exe'
Imagebase:	0x400000
File size:	131072 bytes
MD5 hash:	E18DBE57194DD717D54A907BA8E6D3E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Analysis Process: taskhostw.exe PID: 6556 Parent PID: 968

General

Start time:	09:24:47
Start date:	24/02/2021
Path:	C:\Windows\System32\taskhostw.exe
Wow64 process (32bit):	false
Commandline:	taskhostw.exe None
Imagebase:	0x7ff73c340000
File size:	87904 bytes
MD5 hash:	CE95E236FC9FE2D6F16C926C75B18BAF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: RegAsm.exe PID: 6556 Parent PID: 6352

General

Start time:	09:26:10
Start date:	24/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\V33QokMrIv.exe'
Imagebase:	0xc00000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.1253583807.000000001EDB3000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: conhost.exe PID: 5664 Parent PID: 6556

General

Start time:	09:26:11
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exe PID: 5496 Parent PID: 6556

General

Start time:	09:26:27
Start date:	24/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7CFF.tmp'
Imagebase:	0x920000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5500 Parent PID: 5496

General

Start time:	09:26:27
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exe PID: 5516 Parent PID: 6556

General

Start time:	09:26:28
Start date:	24/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp801C.tmp'
Imagebase:	0x920000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6520 Parent PID: 5516

General

Start time:	09:26:28
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: RegAsm.exe PID: 768 Parent PID: 968

General

Start time:	09:26:29
Start date:	24/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0
Imagebase:	0x150000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exe PID: 6012 Parent PID: 768

General

Start time:	09:26:30
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: dhcpmon.exe PID: 2936 Parent PID: 968

General

Start time:	09:26:30
Start date:	24/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0x740000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	high

Analysis Process: conhost.exe PID: 4244 Parent PID: 2936

General

Start time:	09:26:30
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: filename1.exe PID: 6092 Parent PID: 3424

General

Start time:	09:26:33
Start date:	24/02/2021
Path:	C:\Users\user\subfolder1\filename1.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\subfolder1\filename1.exe'
Imagebase:	0x400000
File size:	131072 bytes
MD5 hash:	E18DBE57194DD717D54A907BA8E6D3E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Antivirus matches:	Detection: 9%, ReversingLabs
Reputation:	low

Analysis Process: dhcpmon.exe PID: 6896 Parent PID: 3424

General

Start time:	09:26:41
Start date:	24/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0x1f0000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exe PID: 6864 Parent PID: 6896

General

Start time:	09:26:42
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: filename1.exe PID: 6980 Parent PID: 3424

General

Start time:	09:26:50
Start date:	24/02/2021
Path:	C:\Users\user\subfolder1\filename1.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\subfolder1\filename1.exe'
Imagebase:	0x400000
File size:	131072 bytes
MD5 hash:	E18DBE57194DD717D54A907BA8E6D3E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report V33QokMrIv.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets