Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PAYMENT-PO#987654567.exe

Overview

General Information

Sample Name:PAYMENT-PO#987654567.exe
Analysis ID:433326
MD5:568727e4104e3f3e56a1368af64e9248
SHA1:d693795cbc34b9e49b1ace9581771e24e2d09f3c
SHA256:b1cd32f68858de3be8e43093dcc24b32b2ce00890857362a652f3e74cebb791c
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code contains very large strings
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sigma detected: Suspicious Process Start Without DLL
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PAYMENT-PO#987654567.exe (PID: 5372 cmdline: 'C:\Users\user\Desktop\PAYMENT-PO#987654567.exe' MD5: 568727E4104E3F3E56A1368AF64E9248)
    • RegAsm.exe (PID: 3568 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • schtasks.exe (PID: 1400 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpAB2D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5588 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpB06D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 2968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegAsm.exe (PID: 3136 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 0 MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • conhost.exe (PID: 5456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 4492 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • conhost.exe (PID: 4652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5844 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • conhost.exe (PID: 2840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "fa01d1ff-8193-42b2-a0e1-b0e6c90b", "Group": "PO-#9874567", "Domain1": "doc-file.ddns.net", "Domain2": "127.0.0.1", "Port": 7755, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.492063110.00000000063E0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
00000003.00000002.492063110.00000000063E0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
00000003.00000002.486565092.0000000002EB1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000003.00000000.223604786.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000003.00000000.223604786.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.RegAsm.exe.3f00624.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xd9ad:$x1: NanoCore.ClientPluginHost
      • 0xd9da:$x2: IClientNetworkHost
      3.2.RegAsm.exe.3f00624.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xd9ad:$x2: NanoCore.ClientPluginHost
      • 0xea88:$s4: PipeCreated
      • 0xd9c7:$s5: IClientLoggingHost
      3.2.RegAsm.exe.3f00624.2.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        3.2.RegAsm.exe.6470000.9.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xd9ad:$x1: NanoCore.ClientPluginHost
        • 0xd9da:$x2: IClientNetworkHost
        3.2.RegAsm.exe.6470000.9.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xd9ad:$x2: NanoCore.ClientPluginHost
        • 0xea88:$s4: PipeCreated
        • 0xd9c7:$s5: IClientLoggingHost
        Click to see the 60 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 3568, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 3568, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        System Summary:

        barindex
        Sigma detected: Suspicious Process Start Without DLLShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: 'C:\Users\user\Desktop\PAYMENT-PO#987654567.exe' , ParentImage: C:\Users\user\Desktop\PAYMENT-PO#987654567.exe, ParentProcessId: 5372, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 3568
        Sigma detected: Possible Applocker BypassShow sources
        Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: 'C:\Users\user\Desktop\PAYMENT-PO#987654567.exe' , ParentImage: C:\Users\user\Desktop\PAYMENT-PO#987654567.exe, ParentProcessId: 5372, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 3568

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 3568, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 3568, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000003.00000002.489761514.0000000003EF9000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "fa01d1ff-8193-42b2-a0e1-b0e6c90b", "Group": "PO-#9874567", "Domain1": "doc-file.ddns.net", "Domain2": "127.0.0.1", "Port": 7755, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for submitted fileShow sources
        Source: PAYMENT-PO#987654567.exeReversingLabs: Detection: 41%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000003.00000002.486565092.0000000002EB1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.223604786.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.484697410.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.225391808.000000000406B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.492128185.0000000006470000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.223324621.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.225536432.0000000004169000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.489761514.0000000003EF9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3568, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#987654567.exe PID: 5372, type: MEMORY
        Source: Yara matchFile source: 3.2.RegAsm.exe.3f00624.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.6470000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#987654567.exe.41092c8.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#987654567.exe.41292e8.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3f00624.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.6474629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#987654567.exe.4169308.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3efb7ee.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.6470000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#987654567.exe.41292e8.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3f04c4d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#987654567.exe.4169308.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#987654567.exe.41092c8.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
        Machine Learning detection for sampleShow sources
        Source: PAYMENT-PO#987654567.exeJoe Sandbox ML: detected
        Source: 3.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.2.RegAsm.exe.6470000.9.unpackAvira: Label: TR/NanoCore.fadte
        Source: 3.0.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.0.RegAsm.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: PAYMENT-PO#987654567.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: PAYMENT-PO#987654567.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: RunPE.pdb source: PAYMENT-PO#987654567.exe, 00000000.00000002.224845491.0000000002CA0000.00000004.00000001.sdmp
        Source: Binary string: RegAsm.pdb source: dhcpmon.exe, dhcpmon.exe.3.dr
        Source: Binary string: RegAsm.pdb4 source: dhcpmon.exe, 0000000A.00000002.238837643.0000000000C12000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000002.252842381.00000000002D2000.00000002.00020000.sdmp, dhcpmon.exe.3.dr

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: doc-file.ddns.net
        Source: Malware configuration extractorURLs: 127.0.0.1
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: doc-file.ddns.net
        Source: global trafficTCP traffic: 192.168.2.5:49711 -> 194.5.97.7:7755
        Source: Joe Sandbox ViewIP Address: 194.5.97.7 194.5.97.7
        Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
        Source: unknownDNS traffic detected: queries for: doc-file.ddns.net
        Source: RegAsm.exe, 00000003.00000002.492128185.0000000006470000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000003.00000002.486565092.0000000002EB1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.223604786.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.484697410.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.225391808.000000000406B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.492128185.0000000006470000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.223324621.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.225536432.0000000004169000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.489761514.0000000003EF9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3568, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#987654567.exe PID: 5372, type: MEMORY
        Source: Yara matchFile source: 3.2.RegAsm.exe.3f00624.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.6470000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#987654567.exe.41092c8.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#987654567.exe.41292e8.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3f00624.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.6474629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#987654567.exe.4169308.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3efb7ee.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.6470000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#987654567.exe.41292e8.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3f04c4d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#987654567.exe.4169308.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#987654567.exe.41092c8.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000003.00000002.492063110.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000000.223604786.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000000.223604786.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.484697410.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.484697410.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.225391808.000000000406B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.225391808.000000000406B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.492128185.0000000006470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000000.223324621.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000000.223324621.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.225536432.0000000004169000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.225536432.0000000004169000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.489761514.0000000003EF9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegAsm.exe PID: 3568, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegAsm.exe PID: 3568, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: PAYMENT-PO#987654567.exe PID: 5372, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: PAYMENT-PO#987654567.exe PID: 5372, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.RegAsm.exe.3f00624.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.RegAsm.exe.6470000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.PAYMENT-PO#987654567.exe.41092c8.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PAYMENT-PO#987654567.exe.41092c8.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.RegAsm.exe.63e0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PAYMENT-PO#987654567.exe.41292e8.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PAYMENT-PO#987654567.exe.41292e8.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.RegAsm.exe.3f00624.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.RegAsm.exe.6474629.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.RegAsm.exe.2f02dd0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PAYMENT-PO#987654567.exe.4169308.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PAYMENT-PO#987654567.exe.4169308.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.RegAsm.exe.3efb7ee.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.RegAsm.exe.3efb7ee.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.RegAsm.exe.6470000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PAYMENT-PO#987654567.exe.41292e8.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PAYMENT-PO#987654567.exe.41292e8.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.RegAsm.exe.3f04c4d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PAYMENT-PO#987654567.exe.4169308.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PAYMENT-PO#987654567.exe.4169308.11.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.PAYMENT-PO#987654567.exe.41092c8.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.PAYMENT-PO#987654567.exe.41092c8.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        .NET source code contains very large stringsShow sources
        Source: PAYMENT-PO#987654567.exe, SpanFill2d.csLong String: Length: 601984
        Source: 0.0.PAYMENT-PO#987654567.exe.880000.0.unpack, SpanFill2d.csLong String: Length: 601984
        Source: 0.2.PAYMENT-PO#987654567.exe.880000.0.unpack, SpanFill2d.csLong String: Length: 601984
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: PAYMENT-PO#987654567.exe
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeCode function: 0_2_0113D0400_2_0113D040
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeCode function: 0_2_011362780_2_01136278
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeCode function: 0_2_011349A00_2_011349A0
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeCode function: 0_2_01135FD90_2_01135FD9
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeCode function: 0_2_01135FE80_2_01135FE8
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0533E4713_2_0533E471
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0533E4803_2_0533E480
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0533BBD43_2_0533BBD4
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_069700403_2_06970040
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00C13DFE10_2_00C13DFE
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_002D3DFE14_2_002D3DFE
        Source: PAYMENT-PO#987654567.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: PAYMENT-PO#987654567.exe, 00000000.00000002.224845491.0000000002CA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPE.dll" vs PAYMENT-PO#987654567.exe
        Source: PAYMENT-PO#987654567.exe, 00000000.00000000.220082406.00000000009AE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSeededGrow2d.exe: vs PAYMENT-PO#987654567.exe
        Source: PAYMENT-PO#987654567.exe, 00000000.00000002.224867415.0000000002DC1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWallpaperChanger.dllB vs PAYMENT-PO#987654567.exe
        Source: PAYMENT-PO#987654567.exeBinary or memory string: OriginalFilenameSeededGrow2d.exe: vs PAYMENT-PO#987654567.exe
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: PAYMENT-PO#987654567.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000003.00000002.492063110.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.492063110.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000003.00000000.223604786.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000000.223604786.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.484697410.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.484697410.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.225391808.000000000406B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.225391808.000000000406B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.492128185.0000000006470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.492128185.0000000006470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000003.00000000.223324621.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000000.223324621.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.225536432.0000000004169000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.225536432.0000000004169000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.489761514.0000000003EF9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RegAsm.exe PID: 3568, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RegAsm.exe PID: 3568, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: PAYMENT-PO#987654567.exe PID: 5372, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: PAYMENT-PO#987654567.exe PID: 5372, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.RegAsm.exe.3f00624.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.RegAsm.exe.3f00624.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.RegAsm.exe.6470000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.RegAsm.exe.6470000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.PAYMENT-PO#987654567.exe.41092c8.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.PAYMENT-PO#987654567.exe.41092c8.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#987654567.exe.41092c8.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.RegAsm.exe.63e0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.RegAsm.exe.63e0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#987654567.exe.41292e8.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.PAYMENT-PO#987654567.exe.41292e8.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#987654567.exe.41292e8.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.RegAsm.exe.3f00624.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.RegAsm.exe.3f00624.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#987654567.exe.2e16058.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#987654567.exe.2e345c4.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#987654567.exe.2e25790.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.RegAsm.exe.6474629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.RegAsm.exe.6474629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.RegAsm.exe.2f02dd0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.RegAsm.exe.2f02dd0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#987654567.exe.4169308.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.PAYMENT-PO#987654567.exe.4169308.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#987654567.exe.4169308.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.RegAsm.exe.3efb7ee.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.RegAsm.exe.3efb7ee.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.RegAsm.exe.3efb7ee.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.RegAsm.exe.6470000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.RegAsm.exe.6470000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#987654567.exe.41292e8.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.PAYMENT-PO#987654567.exe.41292e8.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#987654567.exe.41292e8.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.RegAsm.exe.3f04c4d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.RegAsm.exe.3f04c4d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#987654567.exe.4169308.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.PAYMENT-PO#987654567.exe.4169308.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#987654567.exe.4169308.11.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.PAYMENT-PO#987654567.exe.41092c8.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.PAYMENT-PO#987654567.exe.41092c8.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.PAYMENT-PO#987654567.exe.41092c8.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: PAYMENT-PO#987654567.exe, ScanlineFill2d.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
        Source: 0.0.PAYMENT-PO#987654567.exe.880000.0.unpack, ScanlineFill2d.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
        Source: 0.2.PAYMENT-PO#987654567.exe.880000.0.unpack, ScanlineFill2d.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
        Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: PAYMENT-PO#987654567.exe, SpanFill2d.csBase64 encoded string: 'jU72jNJ87+G/9jsw3t5R8pZ3V0pPSsJTWL1d/TE2dFF2XamjgJJm6kn4Lag1zRoQ+7jKA717Zd9FPNr2GlquNZT2FVexhLnDnjiRHCDmlATDHC60vLOsWAE4yzqpwD/pOBcqTevstK9Y9RAHpnCdSxWT6rS/GtZ2SGZPagdxDOIICAdbQBoHIvB70DwEgiq6KqM1FgXsweCRIb6hTcG/let53j/z2gBrkkjKk4zd0O0Y250HGTNiiLxa1j9hLeDKkl8Wig152F22TQNSM8yumZ4AyxAm3B8mHk4zGj/Os7POMccw2PPNtRB3Cp3Wra9icNCuvBZLRoJEXN7u8SKxXvBzonkEhv1fN53pPR58m+BF1canSPgJKIg01Q9YNa9VWP9OB/jhE2YEmL9PihfZyWU05H/ap+oVWTUcbclWBRp3oiOxZIFHvdyTDO3QL2cxFe80s+JkFeWEPdcT5bmq1WfSIAEzsegAttVCUR9Dbjm7k5nkaFfyAu3tJELxPJR2DQ9IyL90f6e3tCwG43N1Dnkf7ecjIQdUr3sXZgqPynUEEBWlXyrImo8wJyQ4sNON6ovkwbVQk9SpzxfTiM1h/HxCoO9oHCdlbTe+qOJCS+w7mcUHoUEmPpnigg/ZmMfbHxMeQ4KPS5W01Lve638H84szfXQygMMyKXS3tQTRA7+q3Xot36u7jbcJOMGGae0YRiY0JHQtnxtxic94PwhC9xtPaJ8fXIUzMuPUVDDMCBd+tsKgyI7hBUNgOyEndphikzkzWMBWMqIc4K3V5emzV7HTMBDxI4TGd/wQR84wHrZRgXbWfpJSaR5/KNgkNaGOykMbMbg0vlUna/L8zkDXagIXkakSfJ7hsVH4mw2+tFwP34zegkIby/g+71/MO7p8D0NErJ/FqNVMRUAIGEO6l0y7Ea77cc5ZrbzXtpeXAjyxCD79hJLpSpTDIbVLmmgrp8gbvyHOXAcwuZGUbcJ5CBNMzkNLtViCT80856EUcsTYH/Tm20fUw4Ll8IYpWGiwg6LFIHXaRyo2n4sBtWimV76uUGxYlZ1EQfMA7tLNmO8f41+tVFUf7biY9XFw67KNSZ+wiyVjnd9Xq2qiPWXLbMpvaaU84FUUWMB42MNnOW4eErVVOvYlzbyi/YhtuFlWeA37aIR+p4X0uvuZGaB2TN5RvgRKMGNU4A7UIqHt/MPjpgkJ2EmteAN14s69rrM4twt5eiHObTYNbVX7uvDKKALjymsq1RRKcYnk6r5etOUDVLO4OueoYbUJ8CjOAA3lX/1FK0GSTqPk0iuYOKZbhOCl0w704tWsMfGm0pq/VZLWyoCKZnBpuIqCErGP6YnEZ7LBRTMmjl/lJmc2vWw7sg1dhx2XcFBEcl9O+8a0qtSaTu9OtPpJ4ceOx6b8fu21wULb6nLH7xjxb/bhPChNz9tmXxEgQqN8f2Ciub2dt6FaPiAOOFx8q7aAtLXHzy+j3at6jd+SQVHnM3qevU0b7ocGwFl/ldHHWmDiD9r8LTEzEUnGfMKFfFQ2Ap2TmG/Uhz2Lg5EGqLM7kqUEt9u8vN4WTkT1udeBY9qTFg5OHblF2xuwP3QKDmideP6vOpYHX3nmu9YQffz3XV0InrCAr1ctrDwRhqnFhedrDDZTOULKZbeFMDsG0CBdinLOnenZppdqGKZYvt3ny37o/7BgU0HzgtApPbfbbU1hIv6j6ekAndC+cnP9gujuOCp1q8vYltvG+G5q02TypF5NGpMtuSAGNQ1f9rstYspTSLgtPTkymXeORaNNcBb+TW6r1JkVE2oBvIP8eHJtWbGxe8e25FgedRrIhRDTprgSTEEl3gytdBrF2YXtU91KQaUTE+vErGwnl1TaKeKMfnJnVzLbWkhYVto5APFwE5H2E9Kda+GSMd7UpMDKbrNuCP9zIb0P3c0b2ZYgFqF/lV+mxQtZM1beXsRgwFyQaZsu2Cxlvo3zm+HZkaZr2OpcTbLQ/rwczRdJKJDQKGmyEszMY22dnucVBDB8LO842lgvldeGpWlbgIIvMGgEncvm00elbYoZwukkX+tGxL92xnsjdCDLTwcVNBbVx3VBg244AzJhpSttML2mp4JtjhbYi8JCSQOa/Zyys2TBfmT0ukJ+6Qo18xfOKYJ2lJ1MeYK4uzP7SVCw1WoT1gKDr5eMTN9RL8GSZ1pveIcuMER3rRltuUL49Bkl1u8HeDPSAWlRi7MXCrZbWcaNzRPUGDp+r6djqJ23lfgOQvB9+PnyZVo7WPt8YIabWhYy246rx7VwLrQS0IvNwcHMaSntA+ZFMBNavE19f96S0XLhlgvdnSptyniSqgo4lpeTmZ5VeRYxAqA/3XjGzmOsCxwESCa0t+/g/KKsACI1vC5KZLgX9LyxNnx+dI2tu5RuRZiVXhqJFGc7ELeGpYNP8D2zG9DmEBiP+9+MknsBCTAEHDB+0xdDsMDsyzkG1Xiiz7WMam8eq+WPEmnvlYfhD63jJWwc/DIzjYoMkbfJRD+VCLSpyqqL/GPxIQN6X7fPaKN1m2Z8kKoiR7sfBaqh/qXwL2rjJQKqPUm9GqRV64uxjx+PZBPCaXu9tzPUEZY55/JvsVeJlfN5A13ngXnZQhi+IOxrEYOqitMWDByXhY7SxjXCNv/RA8sdOwsRLznkI5TJbhaPD2S8tMUfU5pgkcduUp2l9kNtqDYsg+k7JGLO67bxmr7axaJiKEd4PskGthsdapdAcTgH1YKPvZTCOpljeqCWKBeALVdj6QnJxh8IplFsT7eRn+uMvfOSbb3JXLCYgh6sdffd5LC1uBaiPrRKgVucgZyKOLYvNM4GgKtPN7TBokXPUAV235VND9vAwBbtk7u+CRzxDaNor6zwY7hcg7GLjZcVfO0z3SJL1bX3z/ummHw2vykstlKNKtwh2qoZVOE5DOTdWzonnDO3wHtqJernIS7h6e8/tFCfw3JG1ZJPmJi/T3+HctwwnMqUDhibf1gLVeMtQvrsgAxfqg1NxSp
        Source: 0.0.PAYMENT-PO#987654567.exe.880000.0.unpack, SpanFill2d.csBase64 encoded string: 'jU72jNJ87+G/9jsw3t5R8pZ3V0pPSsJTWL1d/TE2dFF2XamjgJJm6kn4Lag1zRoQ+7jKA717Zd9FPNr2GlquNZT2FVexhLnDnjiRHCDmlATDHC60vLOsWAE4yzqpwD/pOBcqTevstK9Y9RAHpnCdSxWT6rS/GtZ2SGZPagdxDOIICAdbQBoHIvB70DwEgiq6KqM1FgXsweCRIb6hTcG/let53j/z2gBrkkjKk4zd0O0Y250HGTNiiLxa1j9hLeDKkl8Wig152F22TQNSM8yumZ4AyxAm3B8mHk4zGj/Os7POMccw2PPNtRB3Cp3Wra9icNCuvBZLRoJEXN7u8SKxXvBzonkEhv1fN53pPR58m+BF1canSPgJKIg01Q9YNa9VWP9OB/jhE2YEmL9PihfZyWU05H/ap+oVWTUcbclWBRp3oiOxZIFHvdyTDO3QL2cxFe80s+JkFeWEPdcT5bmq1WfSIAEzsegAttVCUR9Dbjm7k5nkaFfyAu3tJELxPJR2DQ9IyL90f6e3tCwG43N1Dnkf7ecjIQdUr3sXZgqPynUEEBWlXyrImo8wJyQ4sNON6ovkwbVQk9SpzxfTiM1h/HxCoO9oHCdlbTe+qOJCS+w7mcUHoUEmPpnigg/ZmMfbHxMeQ4KPS5W01Lve638H84szfXQygMMyKXS3tQTRA7+q3Xot36u7jbcJOMGGae0YRiY0JHQtnxtxic94PwhC9xtPaJ8fXIUzMuPUVDDMCBd+tsKgyI7hBUNgOyEndphikzkzWMBWMqIc4K3V5emzV7HTMBDxI4TGd/wQR84wHrZRgXbWfpJSaR5/KNgkNaGOykMbMbg0vlUna/L8zkDXagIXkakSfJ7hsVH4mw2+tFwP34zegkIby/g+71/MO7p8D0NErJ/FqNVMRUAIGEO6l0y7Ea77cc5ZrbzXtpeXAjyxCD79hJLpSpTDIbVLmmgrp8gbvyHOXAcwuZGUbcJ5CBNMzkNLtViCT80856EUcsTYH/Tm20fUw4Ll8IYpWGiwg6LFIHXaRyo2n4sBtWimV76uUGxYlZ1EQfMA7tLNmO8f41+tVFUf7biY9XFw67KNSZ+wiyVjnd9Xq2qiPWXLbMpvaaU84FUUWMB42MNnOW4eErVVOvYlzbyi/YhtuFlWeA37aIR+p4X0uvuZGaB2TN5RvgRKMGNU4A7UIqHt/MPjpgkJ2EmteAN14s69rrM4twt5eiHObTYNbVX7uvDKKALjymsq1RRKcYnk6r5etOUDVLO4OueoYbUJ8CjOAA3lX/1FK0GSTqPk0iuYOKZbhOCl0w704tWsMfGm0pq/VZLWyoCKZnBpuIqCErGP6YnEZ7LBRTMmjl/lJmc2vWw7sg1dhx2XcFBEcl9O+8a0qtSaTu9OtPpJ4ceOx6b8fu21wULb6nLH7xjxb/bhPChNz9tmXxEgQqN8f2Ciub2dt6FaPiAOOFx8q7aAtLXHzy+j3at6jd+SQVHnM3qevU0b7ocGwFl/ldHHWmDiD9r8LTEzEUnGfMKFfFQ2Ap2TmG/Uhz2Lg5EGqLM7kqUEt9u8vN4WTkT1udeBY9qTFg5OHblF2xuwP3QKDmideP6vOpYHX3nmu9YQffz3XV0InrCAr1ctrDwRhqnFhedrDDZTOULKZbeFMDsG0CBdinLOnenZppdqGKZYvt3ny37o/7BgU0HzgtApPbfbbU1hIv6j6ekAndC+cnP9gujuOCp1q8vYltvG+G5q02TypF5NGpMtuSAGNQ1f9rstYspTSLgtPTkymXeORaNNcBb+TW6r1JkVE2oBvIP8eHJtWbGxe8e25FgedRrIhRDTprgSTEEl3gytdBrF2YXtU91KQaUTE+vErGwnl1TaKeKMfnJnVzLbWkhYVto5APFwE5H2E9Kda+GSMd7UpMDKbrNuCP9zIb0P3c0b2ZYgFqF/lV+mxQtZM1beXsRgwFyQaZsu2Cxlvo3zm+HZkaZr2OpcTbLQ/rwczRdJKJDQKGmyEszMY22dnucVBDB8LO842lgvldeGpWlbgIIvMGgEncvm00elbYoZwukkX+tGxL92xnsjdCDLTwcVNBbVx3VBg244AzJhpSttML2mp4JtjhbYi8JCSQOa/Zyys2TBfmT0ukJ+6Qo18xfOKYJ2lJ1MeYK4uzP7SVCw1WoT1gKDr5eMTN9RL8GSZ1pveIcuMER3rRltuUL49Bkl1u8HeDPSAWlRi7MXCrZbWcaNzRPUGDp+r6djqJ23lfgOQvB9+PnyZVo7WPt8YIabWhYy246rx7VwLrQS0IvNwcHMaSntA+ZFMBNavE19f96S0XLhlgvdnSptyniSqgo4lpeTmZ5VeRYxAqA/3XjGzmOsCxwESCa0t+/g/KKsACI1vC5KZLgX9LyxNnx+dI2tu5RuRZiVXhqJFGc7ELeGpYNP8D2zG9DmEBiP+9+MknsBCTAEHDB+0xdDsMDsyzkG1Xiiz7WMam8eq+WPEmnvlYfhD63jJWwc/DIzjYoMkbfJRD+VCLSpyqqL/GPxIQN6X7fPaKN1m2Z8kKoiR7sfBaqh/qXwL2rjJQKqPUm9GqRV64uxjx+PZBPCaXu9tzPUEZY55/JvsVeJlfN5A13ngXnZQhi+IOxrEYOqitMWDByXhY7SxjXCNv/RA8sdOwsRLznkI5TJbhaPD2S8tMUfU5pgkcduUp2l9kNtqDYsg+k7JGLO67bxmr7axaJiKEd4PskGthsdapdAcTgH1YKPvZTCOpljeqCWKBeALVdj6QnJxh8IplFsT7eRn+uMvfOSbb3JXLCYgh6sdffd5LC1uBaiPrRKgVucgZyKOLYvNM4GgKtPN7TBokXPUAV235VND9vAwBbtk7u+CRzxDaNor6zwY7hcg7GLjZcVfO0z3SJL1bX3z/ummHw2vykstlKNKtwh2qoZVOE5DOTdWzonnDO3wHtqJernIS7h6e8/tFCfw3JG1ZJPmJi/T3+HctwwnMqUDhibf1gLVeMtQvrsgAxfqg1NxSp
        Source: 0.2.PAYMENT-PO#987654567.exe.880000.0.unpack, SpanFill2d.csBase64 encoded string: 'jU72jNJ87+G/9jsw3t5R8pZ3V0pPSsJTWL1d/TE2dFF2XamjgJJm6kn4Lag1zRoQ+7jKA717Zd9FPNr2GlquNZT2FVexhLnDnjiRHCDmlATDHC60vLOsWAE4yzqpwD/pOBcqTevstK9Y9RAHpnCdSxWT6rS/GtZ2SGZPagdxDOIICAdbQBoHIvB70DwEgiq6KqM1FgXsweCRIb6hTcG/let53j/z2gBrkkjKk4zd0O0Y250HGTNiiLxa1j9hLeDKkl8Wig152F22TQNSM8yumZ4AyxAm3B8mHk4zGj/Os7POMccw2PPNtRB3Cp3Wra9icNCuvBZLRoJEXN7u8SKxXvBzonkEhv1fN53pPR58m+BF1canSPgJKIg01Q9YNa9VWP9OB/jhE2YEmL9PihfZyWU05H/ap+oVWTUcbclWBRp3oiOxZIFHvdyTDO3QL2cxFe80s+JkFeWEPdcT5bmq1WfSIAEzsegAttVCUR9Dbjm7k5nkaFfyAu3tJELxPJR2DQ9IyL90f6e3tCwG43N1Dnkf7ecjIQdUr3sXZgqPynUEEBWlXyrImo8wJyQ4sNON6ovkwbVQk9SpzxfTiM1h/HxCoO9oHCdlbTe+qOJCS+w7mcUHoUEmPpnigg/ZmMfbHxMeQ4KPS5W01Lve638H84szfXQygMMyKXS3tQTRA7+q3Xot36u7jbcJOMGGae0YRiY0JHQtnxtxic94PwhC9xtPaJ8fXIUzMuPUVDDMCBd+tsKgyI7hBUNgOyEndphikzkzWMBWMqIc4K3V5emzV7HTMBDxI4TGd/wQR84wHrZRgXbWfpJSaR5/KNgkNaGOykMbMbg0vlUna/L8zkDXagIXkakSfJ7hsVH4mw2+tFwP34zegkIby/g+71/MO7p8D0NErJ/FqNVMRUAIGEO6l0y7Ea77cc5ZrbzXtpeXAjyxCD79hJLpSpTDIbVLmmgrp8gbvyHOXAcwuZGUbcJ5CBNMzkNLtViCT80856EUcsTYH/Tm20fUw4Ll8IYpWGiwg6LFIHXaRyo2n4sBtWimV76uUGxYlZ1EQfMA7tLNmO8f41+tVFUf7biY9XFw67KNSZ+wiyVjnd9Xq2qiPWXLbMpvaaU84FUUWMB42MNnOW4eErVVOvYlzbyi/YhtuFlWeA37aIR+p4X0uvuZGaB2TN5RvgRKMGNU4A7UIqHt/MPjpgkJ2EmteAN14s69rrM4twt5eiHObTYNbVX7uvDKKALjymsq1RRKcYnk6r5etOUDVLO4OueoYbUJ8CjOAA3lX/1FK0GSTqPk0iuYOKZbhOCl0w704tWsMfGm0pq/VZLWyoCKZnBpuIqCErGP6YnEZ7LBRTMmjl/lJmc2vWw7sg1dhx2XcFBEcl9O+8a0qtSaTu9OtPpJ4ceOx6b8fu21wULb6nLH7xjxb/bhPChNz9tmXxEgQqN8f2Ciub2dt6FaPiAOOFx8q7aAtLXHzy+j3at6jd+SQVHnM3qevU0b7ocGwFl/ldHHWmDiD9r8LTEzEUnGfMKFfFQ2Ap2TmG/Uhz2Lg5EGqLM7kqUEt9u8vN4WTkT1udeBY9qTFg5OHblF2xuwP3QKDmideP6vOpYHX3nmu9YQffz3XV0InrCAr1ctrDwRhqnFhedrDDZTOULKZbeFMDsG0CBdinLOnenZppdqGKZYvt3ny37o/7BgU0HzgtApPbfbbU1hIv6j6ekAndC+cnP9gujuOCp1q8vYltvG+G5q02TypF5NGpMtuSAGNQ1f9rstYspTSLgtPTkymXeORaNNcBb+TW6r1JkVE2oBvIP8eHJtWbGxe8e25FgedRrIhRDTprgSTEEl3gytdBrF2YXtU91KQaUTE+vErGwnl1TaKeKMfnJnVzLbWkhYVto5APFwE5H2E9Kda+GSMd7UpMDKbrNuCP9zIb0P3c0b2ZYgFqF/lV+mxQtZM1beXsRgwFyQaZsu2Cxlvo3zm+HZkaZr2OpcTbLQ/rwczRdJKJDQKGmyEszMY22dnucVBDB8LO842lgvldeGpWlbgIIvMGgEncvm00elbYoZwukkX+tGxL92xnsjdCDLTwcVNBbVx3VBg244AzJhpSttML2mp4JtjhbYi8JCSQOa/Zyys2TBfmT0ukJ+6Qo18xfOKYJ2lJ1MeYK4uzP7SVCw1WoT1gKDr5eMTN9RL8GSZ1pveIcuMER3rRltuUL49Bkl1u8HeDPSAWlRi7MXCrZbWcaNzRPUGDp+r6djqJ23lfgOQvB9+PnyZVo7WPt8YIabWhYy246rx7VwLrQS0IvNwcHMaSntA+ZFMBNavE19f96S0XLhlgvdnSptyniSqgo4lpeTmZ5VeRYxAqA/3XjGzmOsCxwESCa0t+/g/KKsACI1vC5KZLgX9LyxNnx+dI2tu5RuRZiVXhqJFGc7ELeGpYNP8D2zG9DmEBiP+9+MknsBCTAEHDB+0xdDsMDsyzkG1Xiiz7WMam8eq+WPEmnvlYfhD63jJWwc/DIzjYoMkbfJRD+VCLSpyqqL/GPxIQN6X7fPaKN1m2Z8kKoiR7sfBaqh/qXwL2rjJQKqPUm9GqRV64uxjx+PZBPCaXu9tzPUEZY55/JvsVeJlfN5A13ngXnZQhi+IOxrEYOqitMWDByXhY7SxjXCNv/RA8sdOwsRLznkI5TJbhaPD2S8tMUfU5pgkcduUp2l9kNtqDYsg+k7JGLO67bxmr7axaJiKEd4PskGthsdapdAcTgH1YKPvZTCOpljeqCWKBeALVdj6QnJxh8IplFsT7eRn+uMvfOSbb3JXLCYgh6sdffd5LC1uBaiPrRKgVucgZyKOLYvNM4GgKtPN7TBokXPUAV235VND9vAwBbtk7u+CRzxDaNor6zwY7hcg7GLjZcVfO0z3SJL1bX3z/ummHw2vykstlKNKtwh2qoZVOE5DOTdWzonnDO3wHtqJernIS7h6e8/tFCfw3JG1ZJPmJi/T3+HctwwnMqUDhibf1gLVeMtQvrsgAxfqg1NxSp
        Source: 3.0.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.0.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@15/11@13/2
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PAYMENT-PO#987654567.exe.logJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2968:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2840:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5456:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4960:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{fa01d1ff-8193-42b2-a0e1-b0e6c90b42b3}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4652:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\tmpAB2D.tmpJump to behavior
        Source: PAYMENT-PO#987654567.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: PAYMENT-PO#987654567.exeReversingLabs: Detection: 41%
        Source: PAYMENT-PO#987654567.exeString found in binary or memory: 1oGZloIWv2gKvPWZLcJ7BTdauS2E6vX5sZy0pp+Cai7aep7L0It+WTipm2XUzcZJFOQ4I6mvbxZysvpKC4zzxSb+HgUWTWwCrgA+/epoCRIoRL/AdDrz6pbrpQywkBB6Ql
        Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT-PO#987654567.exe 'C:\Users\user\Desktop\PAYMENT-PO#987654567.exe'
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpAB2D.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpB06D.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpAB2D.tmp'Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpB06D.tmp'Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: PAYMENT-PO#987654567.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: PAYMENT-PO#987654567.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
        Source: PAYMENT-PO#987654567.exeStatic file information: File size 1438208 > 1048576
        Source: PAYMENT-PO#987654567.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x12ae00
        Source: PAYMENT-PO#987654567.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: RunPE.pdb source: PAYMENT-PO#987654567.exe, 00000000.00000002.224845491.0000000002CA0000.00000004.00000001.sdmp
        Source: Binary string: RegAsm.pdb source: dhcpmon.exe, dhcpmon.exe.3.dr
        Source: Binary string: RegAsm.pdb4 source: dhcpmon.exe, 0000000A.00000002.238837643.0000000000C12000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000002.252842381.00000000002D2000.00000002.00020000.sdmp, dhcpmon.exe.3.dr

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.RegAsm.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00C14289 push es; retf 10_2_00C14294
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00C144A3 push es; retf 10_2_00C144A4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00C14469 push cs; retf 10_2_00C1449E
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_002D4469 push cs; retf 14_2_002D449E
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_002D44A3 push es; retf 14_2_002D44A4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_002D4289 push es; retf 14_2_002D4294
        Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.0.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.0.RegAsm.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.0.RegAsm.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpAB2D.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 5423Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 4012Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: foregroundWindowGot 899Jump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exe TID: 4508Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4516Thread sleep time: -22136092888451448s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4960Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6056Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6120Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: RegAsm.exe, 00000003.00000002.492566854.0000000006D40000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: RegAsm.exe, 00000003.00000002.492566854.0000000006D40000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: RegAsm.exe, 00000003.00000002.492566854.0000000006D40000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: RegAsm.exe, 00000003.00000002.492566854.0000000006D40000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Allocates memory in foreign processesShow sources
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 420000Jump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 422000Jump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: CC1008Jump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpAB2D.tmp'Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpB06D.tmp'Jump to behavior
        Source: RegAsm.exe, 00000003.00000002.491880402.000000000636D000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: RegAsm.exe, 00000003.00000002.486383024.0000000001790000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: RegAsm.exe, 00000003.00000002.486383024.0000000001790000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: RegAsm.exe, 00000003.00000002.486383024.0000000001790000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
        Source: RegAsm.exe, 00000003.00000002.487244401.0000000003089000.00000004.00000001.sdmpBinary or memory string: Program Managerm Manager
        Source: RegAsm.exe, 00000003.00000002.486383024.0000000001790000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
        Source: RegAsm.exe, 00000003.00000002.486383024.0000000001790000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeQueries volume information: C:\Users\user\Desktop\PAYMENT-PO#987654567.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Users\user\Desktop\PAYMENT-PO#987654567.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000003.00000002.486565092.0000000002EB1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.223604786.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.484697410.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.225391808.000000000406B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.492128185.0000000006470000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.223324621.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.225536432.0000000004169000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.489761514.0000000003EF9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3568, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#987654567.exe PID: 5372, type: MEMORY
        Source: Yara matchFile source: 3.2.RegAsm.exe.3f00624.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.6470000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#987654567.exe.41092c8.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#987654567.exe.41292e8.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3f00624.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.6474629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#987654567.exe.4169308.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3efb7ee.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.6470000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#987654567.exe.41292e8.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3f04c4d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#987654567.exe.4169308.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#987654567.exe.41092c8.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: PAYMENT-PO#987654567.exe, 00000000.00000002.225391808.000000000406B000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 00000003.00000002.492063110.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 00000003.00000002.492063110.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000003.00000002.486565092.0000000002EB1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.223604786.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.484697410.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.225391808.000000000406B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.492128185.0000000006470000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.223324621.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.225536432.0000000004169000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.489761514.0000000003EF9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3568, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PAYMENT-PO#987654567.exe PID: 5372, type: MEMORY
        Source: Yara matchFile source: 3.2.RegAsm.exe.3f00624.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.6470000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#987654567.exe.41092c8.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#987654567.exe.41292e8.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3f00624.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.6474629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#987654567.exe.4169308.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3efb7ee.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.6470000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#987654567.exe.41292e8.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.RegAsm.exe.3f04c4d.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#987654567.exe.4169308.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.PAYMENT-PO#987654567.exe.41092c8.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsCommand and Scripting Interpreter2Scheduled Task/Job1Process Injection312Masquerading2Input Capture11Security Software Discovery1Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/Job1DLL Side-Loading1Scheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)DLL Side-Loading1Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection312NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information11DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing11Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)DLL Side-Loading1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 433326 Sample: PAYMENT-PO#987654567.exe Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 10 other signatures 2->55 8 PAYMENT-PO#987654567.exe 3 2->8         started        12 RegAsm.exe 2 2->12         started        14 dhcpmon.exe 2 2->14         started        16 dhcpmon.exe 2->16         started        process3 file4 43 C:\Users\...\PAYMENT-PO#987654567.exe.log, ASCII 8->43 dropped 61 Writes to foreign memory regions 8->61 63 Allocates memory in foreign processes 8->63 65 Injects a PE file into a foreign processes 8->65 18 RegAsm.exe 1 11 8->18         started        23 conhost.exe 12->23         started        25 conhost.exe 14->25         started        27 conhost.exe 16->27         started        signatures5 process6 dnsIp7 45 doc-file.ddns.net 194.5.97.7, 49711, 49713, 49715 DANILENKODE Netherlands 18->45 47 127.0.0.1 unknown unknown 18->47 37 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 18->37 dropped 39 C:\Users\user\AppData\Local\...\tmpAB2D.tmp, XML 18->39 dropped 41 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->41 dropped 57 Uses schtasks.exe or at.exe to add and modify task schedules 18->57 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->59 29 schtasks.exe 1 18->29         started        31 schtasks.exe 1 18->31         started        file8 signatures9 process10 process11 33 conhost.exe 29->33         started        35 conhost.exe 31->35         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        PAYMENT-PO#987654567.exe41%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
        PAYMENT-PO#987654567.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        3.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.2.RegAsm.exe.6470000.9.unpack100%AviraTR/NanoCore.fadteDownload File
        3.0.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.0.RegAsm.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        doc-file.ddns.net0%Avira URL Cloudsafe
        127.0.0.10%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        doc-file.ddns.net
        		194.5.97.7
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          doc-file.ddns.nettrue
          • Avira URL Cloud: safe
          		unknown
          127.0.0.1true
          • Avira URL Cloud: safe
          		unknown

          Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public

          IPDomainCountryFlagASNASN NameMalicious
          194.5.97.7
          		doc-file.ddns.netNetherlands
          		208476DANILENKODEtrue

          Private

          IP
          127.0.0.1

          General Information

          Joe Sandbox Version:32.0.0 Black Diamond
          Analysis ID:433326
          Start date:11.06.2021
          Start time:16:33:18
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 9m 27s
          Hypervisor based Inspection enabled:false
          Report type:full
          Sample file name:PAYMENT-PO#987654567.exe
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:33
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@15/11@13/2
          EGA Information:Failed
          HDC Information:
          • Successful, ratio: 0.9% (good quality ratio 0.7%)
          • Quality average: 58.9%
          • Quality standard deviation: 30.7%
          HCA Information:
          • Successful, ratio: 99%
          • Number of executed functions: 45
          • Number of non-executed functions: 4
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Found application associated with file extension: .exe
          Warnings:
          Show All
          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 93.184.220.29, 20.50.102.62, 13.88.21.125, 92.122.145.220, 13.64.90.137, 23.218.208.56, 20.54.26.129, 20.82.210.154, 92.122.213.194, 92.122.213.247
          • Excluded domains from analysis (whitelisted): skypedataprdcolwus17.cloudapp.net, cs9.wac.phicdn.net, fs.microsoft.com, ris-prod.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, ocsp.digicert.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          16:34:10Task SchedulerRun new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" s>$(Arg0)
          16:34:10AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          16:34:11API Interceptor1017x Sleep call for process: RegAsm.exe modified
          16:34:13Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          194.5.97.78RJwUlmBjb.exeGet hashmaliciousBrowse
            B882ITuiXnqLLeM.exeGet hashmaliciousBrowse
              Doc_43795379326436.PDF.exeGet hashmaliciousBrowse
                aqa4dSbdFYw5DlK.exeGet hashmaliciousBrowse
                  IITuGuCnGifznoN.exeGet hashmaliciousBrowse
                    IITuGuCnGifznoN.exeGet hashmaliciousBrowse
                      RAHIM TRADING CO. FOR IMP.exeGet hashmaliciousBrowse
                        RAHIM TRADING CO. FOR IMP. & EXP.exeGet hashmaliciousBrowse

                          Domains

                          No context

                          ASN

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          DANILENKODEOUTSTANDING INVOICE.pdf.exeGet hashmaliciousBrowse
                          • 194.5.98.28
                          Request Letter for Courtesy Call.xlsxGet hashmaliciousBrowse
                          • 194.5.97.61
                          SecuriteInfo.com.Heur.23766.xlsGet hashmaliciousBrowse
                          • 194.5.97.241
                          SwiftCopy.pdf.exeGet hashmaliciousBrowse
                          • 194.5.98.31
                          wlCqbMRJ7p.exeGet hashmaliciousBrowse
                          • 194.5.98.5
                          SecuriteInfo.com.Trojan.PackedNET.832.3222.exeGet hashmaliciousBrowse
                          • 194.5.98.144
                          SecuriteInfo.com.Trojan.PackedNET.831.12541.exeGet hashmaliciousBrowse
                          • 194.5.98.144
                          0Cg1YYs1sv.exeGet hashmaliciousBrowse
                          • 194.5.98.144
                          Duplicated Orders.xlsxGet hashmaliciousBrowse
                          • 194.5.98.144
                          DEPOSITAR.xlsxGet hashmaliciousBrowse
                          • 194.5.98.144
                          InvoicePOzGlybgcIc1vHasG.exeGet hashmaliciousBrowse
                          • 194.5.98.87
                          POInvoiceOrderIuVvcl0VWEOAmXy.exeGet hashmaliciousBrowse
                          • 194.5.98.87
                          payment invoice.exeGet hashmaliciousBrowse
                          • 194.5.98.23
                          #RFQ ORDER484475577797.exeGet hashmaliciousBrowse
                          • 194.5.98.120
                          b6yzWugw8V.exeGet hashmaliciousBrowse
                          • 194.5.98.107
                          0041#Receipt.pif.exeGet hashmaliciousBrowse
                          • 194.5.98.180
                          j07ghiByDq.exeGet hashmaliciousBrowse
                          • 194.5.97.146
                          j07ghiByDq.exeGet hashmaliciousBrowse
                          • 194.5.97.146
                          PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                          • 194.5.97.18
                          SecuriteInfo.com.Trojan.PackedNET.820.24493.exeGet hashmaliciousBrowse
                          • 194.5.97.61

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exen3sQ7uTU8v.exeGet hashmaliciousBrowse
                            20014464370.PDF.exeGet hashmaliciousBrowse
                              aXgdOUvL9L.exeGet hashmaliciousBrowse
                                DHL#DOCUMENTS001010.PDF.exeGet hashmaliciousBrowse
                                  kyIfnzzg3E.exeGet hashmaliciousBrowse
                                    flyZab7hHk.exeGet hashmaliciousBrowse
                                      AedJpyQ9lM.exeGet hashmaliciousBrowse
                                        UPDATED SOA.exeGet hashmaliciousBrowse
                                          qdFDmi3Bhy.exeGet hashmaliciousBrowse
                                            RFQ27559404D4E5A.PDF.exeGet hashmaliciousBrowse
                                              Receiptn.exeGet hashmaliciousBrowse
                                                PURCHASE LIST.exeGet hashmaliciousBrowse
                                                  SecuriteInfo.com.Trojan.PackedNET.783.10804.exeGet hashmaliciousBrowse
                                                    Y6k2VgaGck.exeGet hashmaliciousBrowse
                                                      Bank swift.exeGet hashmaliciousBrowse
                                                        tT1XWdxOYv.exeGet hashmaliciousBrowse
                                                          363IN050790620 BOOKING.exeGet hashmaliciousBrowse
                                                            New Order.exeGet hashmaliciousBrowse
                                                              RFQ#21040590409448.pdf.exeGet hashmaliciousBrowse
                                                                DHL#DOCUMENTS02010910.PDF.exeGet hashmaliciousBrowse

                                                                  Created / dropped Files

                                                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):64616
                                                                  Entropy (8bit):6.037264560032456
                                                                  Encrypted:false
                                                                  SSDEEP:768:J8XcJiMjm2ieHlPyCsSuJbn8dBhFVBSMQ6Iq8TSYDKpgLaDViRLNdr:9YMaNylPYSAb8dBnTHv8DKKaDVkX
                                                                  MD5:6FD7592411112729BF6B1F2F6C34899F
                                                                  SHA1:5E5C839726D6A43C478AB0B95DBF52136679F5EA
                                                                  SHA-256:FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
                                                                  SHA-512:21EFCC9DEE3960F1A64C6D8A44871742558666BB792D77ACE91236C7DBF42A6CA77086918F363C4391D9C00904C55A952E2C18BE5FA1A67A509827BFC630070D
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Joe Sandbox View:
                                                                  • Filename: n3sQ7uTU8v.exe, Detection: malicious, Browse
                                                                  • Filename: 20014464370.PDF.exe, Detection: malicious, Browse
                                                                  • Filename: aXgdOUvL9L.exe, Detection: malicious, Browse
                                                                  • Filename: DHL#DOCUMENTS001010.PDF.exe, Detection: malicious, Browse
                                                                  • Filename: kyIfnzzg3E.exe, Detection: malicious, Browse
                                                                  • Filename: flyZab7hHk.exe, Detection: malicious, Browse
                                                                  • Filename: AedJpyQ9lM.exe, Detection: malicious, Browse
                                                                  • Filename: UPDATED SOA.exe, Detection: malicious, Browse
                                                                  • Filename: qdFDmi3Bhy.exe, Detection: malicious, Browse
                                                                  • Filename: RFQ27559404D4E5A.PDF.exe, Detection: malicious, Browse
                                                                  • Filename: Receiptn.exe, Detection: malicious, Browse
                                                                  • Filename: PURCHASE LIST.exe, Detection: malicious, Browse
                                                                  • Filename: SecuriteInfo.com.Trojan.PackedNET.783.10804.exe, Detection: malicious, Browse
                                                                  • Filename: Y6k2VgaGck.exe, Detection: malicious, Browse
                                                                  • Filename: Bank swift.exe, Detection: malicious, Browse
                                                                  • Filename: tT1XWdxOYv.exe, Detection: malicious, Browse
                                                                  • Filename: 363IN050790620 BOOKING.exe, Detection: malicious, Browse
                                                                  • Filename: New Order.exe, Detection: malicious, Browse
                                                                  • Filename: RFQ#21040590409448.pdf.exe, Detection: malicious, Browse
                                                                  • Filename: DHL#DOCUMENTS02010910.PDF.exe, Detection: malicious, Browse
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...xX.Z..............0.............^.... ........@.. ....................... ............`.....................................O.......8...............h>........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......
                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PAYMENT-PO#987654567.exe.log
                                                                  Process:C:\Users\user\Desktop\PAYMENT-PO#987654567.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):706
                                                                  Entropy (8bit):5.342604339328228
                                                                  Encrypted:false
                                                                  SSDEEP:12:Q3La/KDLI4MWuPk21rkvoDLI4MWuCq1KDLI4Mq92n4M9XKbbDLI4MWuPJKiUrRZT:ML9E4Ks29E4Kx1qE4x84qXKDE4KhK3Vt
                                                                  MD5:9C1DF7CA80077C63698DCFE531754F1F
                                                                  SHA1:44E2DE975BF1364781A2E5EDE576D1FBCD948097
                                                                  SHA-256:78D4E6F15372E7DFE7C9D5C10BB515995A20AFAEF839C56E750CC336620BCFAB
                                                                  SHA-512:7078AFFB531F2AA5C813FB259C113CB1A02C992F76C47AAE036B8591C65EB4A2037B3BDAD83BBD4D30FA7D2CE244D9943C18EA8AA668FEBCD52B864E7476F84D
                                                                  Malicious:true
                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:modified
                                                                  Size (bytes):42
                                                                  Entropy (8bit):4.0050635535766075
                                                                  Encrypted:false
                                                                  SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                                                  MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                                                  SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                                                  SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                                                  SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                                                  Malicious:false
                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..
                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:modified
                                                                  Size (bytes):42
                                                                  Entropy (8bit):4.0050635535766075
                                                                  Encrypted:false
                                                                  SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                                                  MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                                                  SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                                                  SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                                                  SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                                                  Malicious:false
                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..
                                                                  C:\Users\user\AppData\Local\Temp\tmpAB2D.tmp
                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1319
                                                                  Entropy (8bit):5.134254141338449
                                                                  Encrypted:false
                                                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mxz5xtn:cbk4oL600QydbQxIYODOLedq3Zxz5j
                                                                  MD5:48EF7FA9033389AD7929D7A6B9D10298
                                                                  SHA1:9DB6CB7325C8BDF66A15F7B5F34703709A45AEB6
                                                                  SHA-256:0C1B5F67EEB276D1D4205B138CE32BC6149924E02281A2DB8E4623A700E88F15
                                                                  SHA-512:AC8BD104ECBACC9BCCCE9E087F67E5B18072D59367CCD31D4E66132B6BAAEA520CBA5B9B59464483D86ABF74826B382C402F12E9A586C99BDA8C78A0DE33944E
                                                                  Malicious:true
                                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                  C:\Users\user\AppData\Local\Temp\tmpB06D.tmp
                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1310
                                                                  Entropy (8bit):5.109425792877704
                                                                  Encrypted:false
                                                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                                  MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                                  SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                                  SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                                  SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                                  Malicious:false
                                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                  File Type:ISO-8859 text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):8
                                                                  Entropy (8bit):3.0
                                                                  Encrypted:false
                                                                  SSDEEP:3:v8:k
                                                                  MD5:A09FCDB23ECE19528BB7449345BC185D
                                                                  SHA1:DF1A8BD907EAE6723B67752B8330CE89361CE405
                                                                  SHA-256:8045AC16130B0AF030BFD8B43098B481F800223AB711D58F8C51BF4C25CA2020
                                                                  SHA-512:3355DCCD1642C89520507000E95D81B46B8C0A2041506F0564EC15F5D900E1AACC2DA66B1B456EE22E7EEE129C337D14B1ACD47FFE86B0C1CFDD167DBB1FA3CA
                                                                  Malicious:true
                                                                  Preview: ...h1-.H
                                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):56
                                                                  Entropy (8bit):4.823079645651109
                                                                  Encrypted:false
                                                                  SSDEEP:3:oMty8WddSWAnPL4A:oMLW6WAnPL4A
                                                                  MD5:743A1D76D284D8E42E19061A3F13A723
                                                                  SHA1:D6BBE641CBAC7B46C0922F32DCC89F8F5B87F98C
                                                                  SHA-256:86093BF03032ACFCEF934A0D8363B66AAF4ADEE58015DA0172E13635B1DD1FE8
                                                                  SHA-512:DF687DCD985D1F6127624220083DFD93A39FEBCE02A869F4126787DF3724890ECC10FF18077BFDEF02FCC802440F3F83545E4DA4BD826DC84E59B26A105F6567
                                                                  Malicious:false
                                                                  Preview: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                  \Device\ConDrv
                                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1049
                                                                  Entropy (8bit):4.2989523990568035
                                                                  Encrypted:false
                                                                  SSDEEP:24:z3U3g4DO/0XZd3Wo3opQ5ZKBQFYVgt7ovrNOYlK:zEw4DBXZxo4ABV+SrUYE
                                                                  MD5:970EE6AEAB63008333D1D883327DA660
                                                                  SHA1:A71E19F66886B1888A183BA1777A23FABAE9822E
                                                                  SHA-256:D270D397EB3CF1173D25795834B240466EFEE213E11B1B31CDC101015AFFCAD9
                                                                  SHA-512:EB49AEE1B4524E6F15C08345A380D7D28DC845DEBA5408A7D034F2F7F5A652C8A2E2FF293BFB307DE87DCC2FAA111BA3BE8BEF9C4752A73DE1835DCD844D39BB
                                                                  Malicious:false
                                                                  Preview: Microsoft .NET Framework Assembly Registration Utility version 4.7.3056.0..for Microsoft .NET Framework version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....Syntax: RegAsm AssemblyName [Options]..Options:.. /unregister Unregister types.. /tlb[:FileName] Export the assembly to the specified type library.. and register it.. /regfile[:FileName] Generate a reg file with the specified name.. instead of registering the types. This option.. cannot be used with the /u or /tlb options.. /codebase Set the code base in the registry.. /registered Only refer to already registered type libraries.. /asmpath:Directory Look for assembly references here.. /nologo Prevents RegAsm from displaying logo.. /silent Silent mode. Prevents displaying of success messages.. /verbose Displays extra information..

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):4.798704714965638
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                  File name:PAYMENT-PO#987654567.exe
                                                                  File size:1438208
                                                                  MD5:568727e4104e3f3e56a1368af64e9248
                                                                  SHA1:d693795cbc34b9e49b1ace9581771e24e2d09f3c
                                                                  SHA256:b1cd32f68858de3be8e43093dcc24b32b2ce00890857362a652f3e74cebb791c
                                                                  SHA512:999340520a456aa62317fb7ea87b3902d6eabbeb739aebf8a7b30b99f60155fa25794390d3691d0dcdabe964df0d8d1282dc51d0bc4dbe9f6ae75ebe489ab66f
                                                                  SSDEEP:12288:GY7M3pV+bJAx980BoMM48zYWSqd98i/76FjtNAJwDLHaRPPMC2FQFjBqRxmygNcz:TgtehTZZEMSXA6aUcfsp8QgmD40X
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0......B......n.... ........@.. .......................@............@................................

                                                                  File Icon

                                                                  Icon Hash:81c0c1a14931c4c8

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x52cd6e
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                  Time Stamp:0x60B71CB7 [Wed Jun 2 05:52:55 2021 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:v4.0.30319
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x12cd200x4b.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x12e0000x33e34.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1620000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000x12ad740x12ae00False0.47861528257data4.07686014064IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x12e0000x33e340x34000False0.437903771034data5.71331335745IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x1620000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_ICON0x12e2b00x468GLS_BINARY_LSB_FIRST
                                                                  RT_ICON0x12e7180x988data
                                                                  RT_ICON0x12f0a00x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4293191654, next used block 4293257190
                                                                  RT_ICON0x1301480x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4292927968, next used block 4292927968
                                                                  RT_ICON0x1326f00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4292533467, next used block 4292665053
                                                                  RT_ICON0x1369180x5488data
                                                                  RT_ICON0x13bda00x94a8data
                                                                  RT_ICON0x1452480x10828dBase III DBT, version number 0, next free block index 40
                                                                  RT_ICON0x155a700xbe16PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                  RT_GROUP_ICON0x1618880x84data
                                                                  RT_VERSION0x16190c0x33cdata
                                                                  RT_MANIFEST0x161c480x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Version Infos

                                                                  DescriptionData
                                                                  Translation0x0000 0x04b0
                                                                  LegalCopyrightCopyright 2013
                                                                  Assembly Version1.0.0.0
                                                                  InternalNameSeededGrow2d.exe
                                                                  FileVersion1.0.0.0
                                                                  CompanyName
                                                                  LegalTrademarks
                                                                  Comments
                                                                  ProductNameSeededGrow2d
                                                                  ProductVersion1.0.0.0
                                                                  FileDescriptionSeededGrow2d
                                                                  OriginalFilenameSeededGrow2d.exe

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jun 11, 2021 16:34:11.967228889 CEST497117755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:34:12.023077965 CEST775549711194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:34:12.710383892 CEST497117755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:34:12.766278982 CEST775549711194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:34:13.322324038 CEST497117755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:34:13.378083944 CEST775549711194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:34:17.887018919 CEST497137755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:34:17.943044901 CEST775549713194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:34:18.578355074 CEST497137755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:34:18.635466099 CEST775549713194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:34:19.195368052 CEST497137755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:34:19.251844883 CEST775549713194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:34:24.373694897 CEST497157755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:34:24.429712057 CEST775549715194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:34:24.992696047 CEST497157755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:34:25.048629045 CEST775549715194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:34:25.555236101 CEST497157755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:34:25.611514091 CEST775549715194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:34:45.134120941 CEST497237755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:34:45.190426111 CEST775549723194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:34:45.822515965 CEST497237755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:34:45.879470110 CEST775549723194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:34:46.464871883 CEST497237755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:34:46.520852089 CEST775549723194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:34:50.616056919 CEST497247755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:34:50.671914101 CEST775549724194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:34:51.322963953 CEST497247755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:34:51.380789995 CEST775549724194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:34:52.026285887 CEST497247755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:34:52.082103968 CEST775549724194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:34:56.239419937 CEST497267755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:34:56.295754910 CEST775549726194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:34:56.807893991 CEST497267755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:34:56.863848925 CEST775549726194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:34:57.370378017 CEST497267755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:34:57.426242113 CEST775549726194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:35:16.671646118 CEST497377755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:35:16.728934050 CEST775549737194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:35:17.231435061 CEST497377755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:35:17.287265062 CEST775549737194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:35:17.794174910 CEST497377755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:35:17.849984884 CEST775549737194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:35:21.970655918 CEST497387755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:35:22.026655912 CEST775549738194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:35:22.528836966 CEST497387755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:35:22.586803913 CEST775549738194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:35:23.091610909 CEST497387755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:35:23.147478104 CEST775549738194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:35:27.243093967 CEST497397755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:35:27.299154043 CEST775549739194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:35:27.810533047 CEST497397755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:35:27.866578102 CEST775549739194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:35:28.373208046 CEST497397755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:35:28.429162025 CEST775549739194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:35:48.417749882 CEST497437755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:35:48.473238945 CEST775549743194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:35:48.984172106 CEST497437755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:35:49.040973902 CEST775549743194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:35:49.547379971 CEST497437755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:35:49.604872942 CEST775549743194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:35:53.723839045 CEST497457755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:35:53.779565096 CEST775549745194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:35:54.375672102 CEST497457755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:35:54.431652069 CEST775549745194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:35:54.937907934 CEST497457755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:35:54.993837118 CEST775549745194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:35:59.116200924 CEST497477755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:35:59.172101974 CEST775549747194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:35:59.672898054 CEST497477755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:35:59.728732109 CEST775549747194.5.97.7192.168.2.5
                                                                  Jun 11, 2021 16:36:00.235130072 CEST497477755192.168.2.5194.5.97.7
                                                                  Jun 11, 2021 16:36:00.290700912 CEST775549747194.5.97.7192.168.2.5

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jun 11, 2021 16:33:57.222655058 CEST6434453192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:33:57.273468018 CEST53653078.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:33:57.281092882 CEST53643448.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:33:57.319689035 CEST6206053192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:33:57.370023012 CEST53620608.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:33:57.436148882 CEST6180553192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:33:57.487663031 CEST53618058.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:33:59.591810942 CEST5479553192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:33:59.652318001 CEST53547958.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:34:00.289659977 CEST4955753192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:34:00.340603113 CEST53495578.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:34:01.516942978 CEST6173353192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:34:01.568608999 CEST53617338.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:34:02.817385912 CEST6544753192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:34:02.867399931 CEST53654478.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:34:04.142200947 CEST5244153192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:34:04.200922966 CEST53524418.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:34:05.675942898 CEST6217653192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:34:05.727380991 CEST53621768.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:34:06.902890921 CEST5959653192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:34:06.953150034 CEST53595968.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:34:08.416466951 CEST6529653192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:34:08.468246937 CEST53652968.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:34:09.898521900 CEST6318353192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:34:09.959808111 CEST53631838.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:34:11.352176905 CEST6015153192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:34:11.402470112 CEST53601518.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:34:11.893193960 CEST5696953192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:34:11.955162048 CEST53569698.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:34:12.676167965 CEST5516153192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:34:12.726846933 CEST53551618.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:34:17.823801994 CEST5475753192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:34:17.885736942 CEST53547578.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:34:23.310085058 CEST4999253192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:34:24.311016083 CEST4999253192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:34:24.372126102 CEST53499928.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:34:26.542877913 CEST6007553192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:34:26.603473902 CEST53600758.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:34:33.152067900 CEST5501653192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:34:33.225362062 CEST53550168.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:34:45.071463108 CEST6434553192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:34:45.130167961 CEST53643458.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:34:50.553538084 CEST5712853192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:34:50.615031958 CEST53571288.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:34:54.086101055 CEST5479153192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:34:54.155314922 CEST53547918.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:34:56.180087090 CEST5046353192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:34:56.238449097 CEST53504638.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:35:10.566708088 CEST5039453192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:35:10.618204117 CEST53503948.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:35:13.738579988 CEST5853053192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:35:13.797033072 CEST53585308.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:35:16.610714912 CEST5381353192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:35:16.670631886 CEST53538138.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:35:21.906044006 CEST6373253192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:35:21.969640017 CEST53637328.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:35:27.181557894 CEST5734453192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:35:27.241269112 CEST53573448.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:35:48.314888000 CEST5445053192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:35:48.374574900 CEST53544508.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:35:48.814358950 CEST5926153192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:35:48.886957884 CEST53592618.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:35:53.658956051 CEST5715153192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:35:53.722754002 CEST53571518.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:35:53.904445887 CEST5941353192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:35:53.974483967 CEST53594138.8.8.8192.168.2.5
                                                                  Jun 11, 2021 16:35:59.050698042 CEST6051653192.168.2.58.8.8.8
                                                                  Jun 11, 2021 16:35:59.114793062 CEST53605168.8.8.8192.168.2.5

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  Jun 11, 2021 16:34:11.893193960 CEST192.168.2.58.8.8.80x331aStandard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                                                                  Jun 11, 2021 16:34:17.823801994 CEST192.168.2.58.8.8.80xdaa0Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                                                                  Jun 11, 2021 16:34:23.310085058 CEST192.168.2.58.8.8.80x2584Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                                                                  Jun 11, 2021 16:34:24.311016083 CEST192.168.2.58.8.8.80x2584Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                                                                  Jun 11, 2021 16:34:45.071463108 CEST192.168.2.58.8.8.80x9a51Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                                                                  Jun 11, 2021 16:34:50.553538084 CEST192.168.2.58.8.8.80xcdf7Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                                                                  Jun 11, 2021 16:34:56.180087090 CEST192.168.2.58.8.8.80x3456Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                                                                  Jun 11, 2021 16:35:16.610714912 CEST192.168.2.58.8.8.80x5163Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                                                                  Jun 11, 2021 16:35:21.906044006 CEST192.168.2.58.8.8.80x380cStandard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                                                                  Jun 11, 2021 16:35:27.181557894 CEST192.168.2.58.8.8.80x2a55Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                                                                  Jun 11, 2021 16:35:48.314888000 CEST192.168.2.58.8.8.80x7a90Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                                                                  Jun 11, 2021 16:35:53.658956051 CEST192.168.2.58.8.8.80x13c2Standard query (0)doc-file.ddns.netA (IP address)IN (0x0001)
                                                                  Jun 11, 2021 16:35:59.050698042 CEST192.168.2.58.8.8.80xd6cbStandard query (0)doc-file.ddns.netA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  Jun 11, 2021 16:34:11.955162048 CEST8.8.8.8192.168.2.50x331aNo error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                                                                  Jun 11, 2021 16:34:17.885736942 CEST8.8.8.8192.168.2.50xdaa0No error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                                                                  Jun 11, 2021 16:34:24.372126102 CEST8.8.8.8192.168.2.50x2584No error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                                                                  Jun 11, 2021 16:34:45.130167961 CEST8.8.8.8192.168.2.50x9a51No error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                                                                  Jun 11, 2021 16:34:50.615031958 CEST8.8.8.8192.168.2.50xcdf7No error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                                                                  Jun 11, 2021 16:34:56.238449097 CEST8.8.8.8192.168.2.50x3456No error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                                                                  Jun 11, 2021 16:35:16.670631886 CEST8.8.8.8192.168.2.50x5163No error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                                                                  Jun 11, 2021 16:35:21.969640017 CEST8.8.8.8192.168.2.50x380cNo error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                                                                  Jun 11, 2021 16:35:27.241269112 CEST8.8.8.8192.168.2.50x2a55No error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                                                                  Jun 11, 2021 16:35:48.374574900 CEST8.8.8.8192.168.2.50x7a90No error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                                                                  Jun 11, 2021 16:35:53.722754002 CEST8.8.8.8192.168.2.50x13c2No error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)
                                                                  Jun 11, 2021 16:35:59.114793062 CEST8.8.8.8192.168.2.50xd6cbNo error (0)doc-file.ddns.net194.5.97.7A (IP address)IN (0x0001)

                                                                  Code Manipulations

                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  Analysis Process: PAYMENT-PO#987654567.exe PID: 5372 Parent PID: 5700

                                                                  General

                                                                  Start time:16:34:05
                                                                  Start date:11/06/2021
                                                                  Path:C:\Users\user\Desktop\PAYMENT-PO#987654567.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\PAYMENT-PO#987654567.exe'
                                                                  Imagebase:0x880000
                                                                  File size:1438208 bytes
                                                                  MD5 hash:568727E4104E3F3E56A1368AF64E9248
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.225391808.000000000406B000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.225391808.000000000406B000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.225391808.000000000406B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.225536432.0000000004169000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.225536432.0000000004169000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.225536432.0000000004169000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Analysis Process: RegAsm.exe PID: 3568 Parent PID: 5372

                                                                  General

                                                                  Start time:16:34:06
                                                                  Start date:11/06/2021
                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                  Imagebase:0xb40000
                                                                  File size:64616 bytes
                                                                  MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.492063110.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.492063110.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.486565092.0000000002EB1000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.223604786.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.223604786.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.223604786.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.484697410.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.484697410.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.484697410.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.492128185.0000000006470000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.492128185.0000000006470000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.492128185.0000000006470000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.223324621.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.223324621.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.223324621.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.489761514.0000000003EF9000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.489761514.0000000003EF9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: schtasks.exe PID: 1400 Parent PID: 3568

                                                                  General

                                                                  Start time:16:34:08
                                                                  Start date:11/06/2021
                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpAB2D.tmp'
                                                                  Imagebase:0xd90000
                                                                  File size:185856 bytes
                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: conhost.exe PID: 4960 Parent PID: 1400

                                                                  General

                                                                  Start time:16:34:09
                                                                  Start date:11/06/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7ecfc0000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: schtasks.exe PID: 5588 Parent PID: 3568

                                                                  General

                                                                  Start time:16:34:10
                                                                  Start date:11/06/2021
                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpB06D.tmp'
                                                                  Imagebase:0xd90000
                                                                  File size:185856 bytes
                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: conhost.exe PID: 2968 Parent PID: 5588

                                                                  General

                                                                  Start time:16:34:10
                                                                  Start date:11/06/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7ecfc0000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: RegAsm.exe PID: 3136 Parent PID: 904

                                                                  General

                                                                  Start time:16:34:10
                                                                  Start date:11/06/2021
                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 0
                                                                  Imagebase:0x7ff797770000
                                                                  File size:64616 bytes
                                                                  MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: conhost.exe PID: 5456 Parent PID: 3136

                                                                  General

                                                                  Start time:16:34:11
                                                                  Start date:11/06/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7ecfc0000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: dhcpmon.exe PID: 4492 Parent PID: 904

                                                                  General

                                                                  Start time:16:34:13
                                                                  Start date:11/06/2021
                                                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                                                  Imagebase:0xc10000
                                                                  File size:64616 bytes
                                                                  MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Antivirus matches:
                                                                  • Detection: 0%, Metadefender, Browse
                                                                  • Detection: 0%, ReversingLabs
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: conhost.exe PID: 4652 Parent PID: 4492

                                                                  General

                                                                  Start time:16:34:13
                                                                  Start date:11/06/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7ecfc0000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: dhcpmon.exe PID: 5844 Parent PID: 3472

                                                                  General

                                                                  Start time:16:34:18
                                                                  Start date:11/06/2021
                                                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                                  Imagebase:0x2d0000
                                                                  File size:64616 bytes
                                                                  MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: conhost.exe PID: 2840 Parent PID: 5844

                                                                  General

                                                                  Start time:16:34:19
                                                                  Start date:11/06/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7ecfc0000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >

                                                                    Analysis Process: PAYMENT-PO#987654567.exe PID: 5372 Parent PID: 5700 PAYMENT-PO#987654567.exeCOMMON

                                                                    Executed Functions

                                                                    Function 0113D040, Relevance: 2.3, Strings: 1, Instructions: 1013COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.224683939.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Yzgu
                                                                    • API String ID: 0-3304327777
                                                                    • Opcode ID: 98149d63ae21c2c939234aa3db1d29237e2e6650c4c8114854947e8e79567f4e
                                                                    • Instruction ID: d4349ecb4b870b6d72b419b6f1d37b2e9b1865e82b47d0dae4fc2650b390973f
                                                                    • Opcode Fuzzy Hash: 98149d63ae21c2c939234aa3db1d29237e2e6650c4c8114854947e8e79567f4e
                                                                    • Instruction Fuzzy Hash: 58B2C675E00628CFDB65CF69C984A99BBB2FF89304F1581E9D509AB325DB319E81CF40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0113F508, Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0113F7CF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.224683939.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CreateProcess
                                                                    • String ID:
                                                                    • API String ID: 963392458-0
                                                                    • Opcode ID: b722b68dfed2108f93670bfc4108b933b7150f0e11f37f43ca358e3da1b828c0
                                                                    • Instruction ID: 64e3be26bab37ddb6ce6e297bb9798d1adb9a1aebd10a0e9dafd114dfd7ba08e
                                                                    • Opcode Fuzzy Hash: b722b68dfed2108f93670bfc4108b933b7150f0e11f37f43ca358e3da1b828c0
                                                                    • Instruction Fuzzy Hash: E5C12571D0026D8FDB24DFA8C840BEDBBB1BF49308F0095A9E519B7254DB749A86CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0113F180, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0113F253
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.224683939.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MemoryProcessWrite
                                                                    • String ID:
                                                                    • API String ID: 3559483778-0
                                                                    • Opcode ID: 38d8abbfaf498ac85883a0d663b16a2ece8e5f3f987fff2b2c0f50c406fcd7f0
                                                                    • Instruction ID: 79d4bdc17ded7ad3be7b58c5fd67f78de727b6407e0e0328944a348a43d90f64
                                                                    • Opcode Fuzzy Hash: 38d8abbfaf498ac85883a0d663b16a2ece8e5f3f987fff2b2c0f50c406fcd7f0
                                                                    • Instruction Fuzzy Hash: B54197B5D01259DFCF04CFA9D984AEEBBF1BB49314F14902AE819B7200D734AA46CF64
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0113F2D8, Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0113F38A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.224683939.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MemoryProcessRead
                                                                    • String ID:
                                                                    • API String ID: 1726664587-0
                                                                    • Opcode ID: 21717934ccdf628d3da2faaa95e359c0e27b06fd6057c835a38c93fb312c77b0
                                                                    • Instruction ID: b2a22f65d9bbb0e921a63f6f6497aef11e851c4e7d4e61f54ebe8a00fa9b3761
                                                                    • Opcode Fuzzy Hash: 21717934ccdf628d3da2faaa95e359c0e27b06fd6057c835a38c93fb312c77b0
                                                                    • Instruction Fuzzy Hash: 7641A6B5D042589FCF00CFAAD880AEEFBB1BF49310F14902AE815B7200D738A946CF65
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0113F060, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0113F10A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.224683939.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: da391430915285b39a0c106d806b0e917ca8e0105d04601cfd818fb6d5e27146
                                                                    • Instruction ID: 250f9438a20a7233cc09b3b4b4a613edb0bdbde9d99452eb1faa9ba9f80f96ff
                                                                    • Opcode Fuzzy Hash: da391430915285b39a0c106d806b0e917ca8e0105d04601cfd818fb6d5e27146
                                                                    • Instruction Fuzzy Hash: 6C3197B9D042589BCF14CFA9E980ADEBBB1AB4A310F10902AE815B7300D734A946CF65
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0113EF38, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 0113EFE7
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.224683939.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ContextThreadWow64
                                                                    • String ID:
                                                                    • API String ID: 983334009-0
                                                                    • Opcode ID: b4cdc498313e0d06b0c4a7d25a3f5e3bfde2f6384e6a170d11945c1db7ce42f2
                                                                    • Instruction ID: f2b7ec97c8160935c758d02c42a328a9578ce7e0ec45228b88276f8e7750831c
                                                                    • Opcode Fuzzy Hash: b4cdc498313e0d06b0c4a7d25a3f5e3bfde2f6384e6a170d11945c1db7ce42f2
                                                                    • Instruction Fuzzy Hash: 2531BCB5D012589FDB14CFA9D984AEEFBF1BF49314F14802AE415B7200D778A94ACF64
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0113E198, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ResumeThread.KERNELBASE(?), ref: 0113E216
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.224683939.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ResumeThread
                                                                    • String ID:
                                                                    • API String ID: 947044025-0
                                                                    • Opcode ID: b0f13ff3176165aace0b3c705160692f3a52d1cef553fe72fac055f83ce5873c
                                                                    • Instruction ID: 6cdf1f0e9727065f004865c044ee2cf67b9febfa8444367cb1a033e298114492
                                                                    • Opcode Fuzzy Hash: b0f13ff3176165aace0b3c705160692f3a52d1cef553fe72fac055f83ce5873c
                                                                    • Instruction Fuzzy Hash: 9B31AAB4D012589FCF14CFA9E984ADEFBB4AF49314F14902AE815B7300D734A945CFA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0109D4CC, Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.224622730.000000000109D000.00000040.00000001.sdmp, Offset: 0109D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9023e0ae2947e8127b3e8ee919bce77607843064b62464468a960e26ec97ceef
                                                                    • Instruction ID: 9e653897cfb9ca1adf242b203d111c16e147ea81c3814fad7643ea183207a824
                                                                    • Opcode Fuzzy Hash: 9023e0ae2947e8127b3e8ee919bce77607843064b62464468a960e26ec97ceef
                                                                    • Instruction Fuzzy Hash: DA216AB1548240DFDF01DF54D9D0B2ABFA1FB88328F24C5A9E9450B206C336D805D7A1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0109D4C7, Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.224622730.000000000109D000.00000040.00000001.sdmp, Offset: 0109D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 70974ab4a4c2816a03f4b9a369bf25a07704c6fcdadf149384cc040b403512b7
                                                                    • Instruction ID: b7595f418ef28ccce40ea052fe5bfa7a8aff9b8f4f348f6a501244416cd92420
                                                                    • Opcode Fuzzy Hash: 70974ab4a4c2816a03f4b9a369bf25a07704c6fcdadf149384cc040b403512b7
                                                                    • Instruction Fuzzy Hash: 7F11E172544280DFCF02CF54D9D4B16BFB2FB84324F24C6A9D8440B216C336D45ADBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 01136278, Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.224683939.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: `
                                                                    • API String ID: 0-2679148245
                                                                    • Opcode ID: 6c4562b35293e0aa52599f093dd225efbcf1ba01b3961d16f5f3e7e453d9ef2b
                                                                    • Instruction ID: 589808ec9327729e42e9fa0487409350db27d3b76695f92213c3d83f13694875
                                                                    • Opcode Fuzzy Hash: 6c4562b35293e0aa52599f093dd225efbcf1ba01b3961d16f5f3e7e453d9ef2b
                                                                    • Instruction Fuzzy Hash: F1416D71E056189BEB2CCF6BCD4078AFAF7AFC9200F18C1BA854CAB218DB3105958F55
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 011349A0, Relevance: .3, Instructions: 265COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.224683939.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6cdb0772312bf7691a747437d84b62ae1380d57db0f8bbdeea410090499c42e2
                                                                    • Instruction ID: 10f5f78b11ee9099e71c006f65919efd273c40a9ce3c8985e42e47ac839fb589
                                                                    • Opcode Fuzzy Hash: 6cdb0772312bf7691a747437d84b62ae1380d57db0f8bbdeea410090499c42e2
                                                                    • Instruction Fuzzy Hash: 0B91C530F142188BCB1C9B7494946BE76B3AFC8710F1A882DE403E778DDF3898068795
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01135FD9, Relevance: .2, Instructions: 164COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.224683939.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: de750ab6a6a8bf1f493842af42619d429ac93cf68d057246fc1755d2326e5be6
                                                                    • Instruction ID: 24fa65e38cd7515af35b035982e665a3574c8da4fa290d96ef790a4bf0c40962
                                                                    • Opcode Fuzzy Hash: de750ab6a6a8bf1f493842af42619d429ac93cf68d057246fc1755d2326e5be6
                                                                    • Instruction Fuzzy Hash: AE612BB1E04249DFD748DF7AE85069DBBF2EBC8204F14C939C115EB268EB7969098F50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01135FE8, Relevance: .2, Instructions: 160COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.224683939.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3b180ae54e26130799d4dcdd9ebe13c672321c48f07a3b5289f2a2a3f4d31cdc
                                                                    • Instruction ID: a06c2d755a6cfe6d6f2c5bee09aa9702dafb2fed51bc6a7376e47eaeb0cd201d
                                                                    • Opcode Fuzzy Hash: 3b180ae54e26130799d4dcdd9ebe13c672321c48f07a3b5289f2a2a3f4d31cdc
                                                                    • Instruction Fuzzy Hash: 67612CB1E04249CFD708DF6AE85069DBBF2EBC8204F14C939C115EB268EB7969098F50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Analysis Process: RegAsm.exe PID: 3568 Parent PID: 5372 RegAsm.exeCOMMON

                                                                    Executed Functions

                                                                    Function 06973558, Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.492511661.0000000006970000.00000040.00000001.sdmp, Offset: 06970000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9b295f1cec29de701d9457de591bf8c73ddc92d7e91f0119b73d45ee3f7c675b
                                                                    • Instruction ID: 61f3b0d9ef95e08a95ae06a9bd51d07347841f0ab1f2b37de1079d55d0c0531b
                                                                    • Opcode Fuzzy Hash: 9b295f1cec29de701d9457de591bf8c73ddc92d7e91f0119b73d45ee3f7c675b
                                                                    • Instruction Fuzzy Hash: 5A8178B1D04249CFDB10CFA9D8816EEBBB5FF88304F20852AD419EB650EB719949CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 053393E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0533962E
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.490911169.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: d81bccccadd7188b68fa02f8b066c944a7a52c2c93c4663dbe1917eb005c7a83
                                                                    • Instruction ID: 8f62c4af36fa920165a21d78e0c5a28fd1161964171a786d737639ba5358f89d
                                                                    • Opcode Fuzzy Hash: d81bccccadd7188b68fa02f8b066c944a7a52c2c93c4663dbe1917eb005c7a83
                                                                    • Instruction Fuzzy Hash: C87136B1A00B058FD724DF2AC44575ABBF6FF88214F00892DE58AD7A40EBB5E845CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06973604, Relevance: 1.6, APIs: 1, Instructions: 145networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06973738
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.492511661.0000000006970000.00000040.00000001.sdmp, Offset: 06970000, based on PE: false
                                                                    Similarity
                                                                    • API ID: Query_
                                                                    • String ID:
                                                                    • API String ID: 428220571-0
                                                                    • Opcode ID: 1fde957a848ccc4d0af59cdce88eb9fd06b21a093010238192c0f90ef7015ed6
                                                                    • Instruction ID: c7c0bb93f0d082f1a4f97cebe40991106d2979611559ef2818242ec00ed17b1a
                                                                    • Opcode Fuzzy Hash: 1fde957a848ccc4d0af59cdce88eb9fd06b21a093010238192c0f90ef7015ed6
                                                                    • Instruction Fuzzy Hash: 2B5123B1D00259DFDB10CFA9C981ADEBBB5FF48304F20812AE815AB750DB749946DF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 06971901, Relevance: 1.6, APIs: 1, Instructions: 144networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06973738
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.492511661.0000000006970000.00000040.00000001.sdmp, Offset: 06970000, based on PE: false
                                                                    Similarity
                                                                    • API ID: Query_
                                                                    • String ID:
                                                                    • API String ID: 428220571-0
                                                                    • Opcode ID: 7ef27e008d214c8edc1d948d1076047d29e05ba9cdf73b97e79a65322fd63e94
                                                                    • Instruction ID: a3d4581b2b9b6453df5c83d36244fa759a25e980baad4fe9e28564c92f553ea5
                                                                    • Opcode Fuzzy Hash: 7ef27e008d214c8edc1d948d1076047d29e05ba9cdf73b97e79a65322fd63e94
                                                                    • Instruction Fuzzy Hash: E35135B1D0025DDFDB10CFA9C881ADEBBB5FF48304F20852AE815AB650DB74A946CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0697190C, Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06973738
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.492511661.0000000006970000.00000040.00000001.sdmp, Offset: 06970000, based on PE: false
                                                                    Similarity
                                                                    • API ID: Query_
                                                                    • String ID:
                                                                    • API String ID: 428220571-0
                                                                    • Opcode ID: c1c0a911d1efa76344862aea18631745e15b2cfe5c15c247ae80bca984d8ef0f
                                                                    • Instruction ID: 42ba58fdfcaf6d374c60c8c56f22fdafc5aa5d9625514e84de1be645e59a08be
                                                                    • Opcode Fuzzy Hash: c1c0a911d1efa76344862aea18631745e15b2cfe5c15c247ae80bca984d8ef0f
                                                                    • Instruction Fuzzy Hash: EC5102B1D0025DDFDB10CFA9C881ADEBBB5FF48304F208529E815AB650DB749945CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0533FB81, Relevance: 1.6, APIs: 1, Instructions: 123COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0533FD0A
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.490911169.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CreateWindow
                                                                    • String ID:
                                                                    • API String ID: 716092398-0
                                                                    • Opcode ID: bf06ee7f01013572a845a2bb20f5a30083dd7d7fdeb6c72903b37ac162796a49
                                                                    • Instruction ID: 553c4853c65301a526a1fbb8950f374174f4ee280ac41227e2d4b21bef729814
                                                                    • Opcode Fuzzy Hash: bf06ee7f01013572a845a2bb20f5a30083dd7d7fdeb6c72903b37ac162796a49
                                                                    • Instruction Fuzzy Hash: 3C51CCB1D00249DFDB14CFA9D885ADEBBB1FF48314F64812AE819AB214D774A985CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0533DA04, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0533FD0A
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.490911169.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CreateWindow
                                                                    • String ID:
                                                                    • API String ID: 716092398-0
                                                                    • Opcode ID: b36c10e1af46d9afc3d82257898df5ca67915c6b62b8d2c1b31186b126ebdb09
                                                                    • Instruction ID: f0aea79991ec4b5350cce966c5fb29f54c267536a2e6c9c35522a013de47d40f
                                                                    • Opcode Fuzzy Hash: b36c10e1af46d9afc3d82257898df5ca67915c6b62b8d2c1b31186b126ebdb09
                                                                    • Instruction Fuzzy Hash: 8D51CFB1D00349DFDB14CFA9C884ADEBBB5FF48314F64812AE819AB214D7749985CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0533A14C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0533BCC6,?,?,?,?,?), ref: 0533BD87
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.490911169.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: 9bf99b23beb9fd3bf2974771c2eed96ced2e62308a7a48573567a67400308f41
                                                                    • Instruction ID: 9c0fda7192f06772f3245cfcf5c5c19f031bd0cc5c0113b3cfd2981c9dd91d76
                                                                    • Opcode Fuzzy Hash: 9bf99b23beb9fd3bf2974771c2eed96ced2e62308a7a48573567a67400308f41
                                                                    • Instruction Fuzzy Hash: 7421E3B5900248AFDB10CF99D884AEEFBF4FB48310F14841AE919A7310D378A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0533BCF9, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0533BCC6,?,?,?,?,?), ref: 0533BD87
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.490911169.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: 63d43a0ad3a3b768452038e325c7f396f7a47bd24a503146ddbbf36d67080397
                                                                    • Instruction ID: 338312a58dd742cda3158e188961b54d1e94f77bc1ca93ebf796010231427bdd
                                                                    • Opcode Fuzzy Hash: 63d43a0ad3a3b768452038e325c7f396f7a47bd24a503146ddbbf36d67080397
                                                                    • Instruction Fuzzy Hash: B821BFB5900249AFDB10CFAAD884ADEFBF4EB48314F14841AE959A7310D379A954CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05338768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,053396A9,00000800,00000000,00000000), ref: 053398BA
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.490911169.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: 234e59363514481a74819185b1b3f45fc47b374c0b40c022127a6e094ae4c7d9
                                                                    • Instruction ID: ae9fc7ac19660c710245e375ce8e5e23a538a1486ab674ca0906a229da8e1809
                                                                    • Opcode Fuzzy Hash: 234e59363514481a74819185b1b3f45fc47b374c0b40c022127a6e094ae4c7d9
                                                                    • Instruction Fuzzy Hash: C811D6B6904249DFDB10CF9AC444BDEFBF4EB88314F14842AE519B7600C3B5A945CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05339849, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,053396A9,00000800,00000000,00000000), ref: 053398BA
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.490911169.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: 56290cc7a465dc8c81f708fd17c2cd776c940b3fc178e5ef44878b726a3b60c1
                                                                    • Instruction ID: 282d6dc58a6c06581f3cd1b2ca0422786957185bd8ff575f7033073c1651ce5b
                                                                    • Opcode Fuzzy Hash: 56290cc7a465dc8c81f708fd17c2cd776c940b3fc178e5ef44878b726a3b60c1
                                                                    • Instruction Fuzzy Hash: CA11D3B6D002499FDB10CF9AC444BDEFBF4EB88314F14852AE529A7700C3B5A945CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 053395C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0533962E
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.490911169.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: d8692d2296ef36648f93f663c732966515c9d7e562860091397af3256f117b55
                                                                    • Instruction ID: f5ea812fc92194ae251bc24604d08298cf2ff6152789591b786c15dd7ce4443c
                                                                    • Opcode Fuzzy Hash: d8692d2296ef36648f93f663c732966515c9d7e562860091397af3256f117b55
                                                                    • Instruction Fuzzy Hash: 0F11E0B6D00649CFDB10CF9AC444BDEFBF4EB89224F10842AD869A7600D3B9A545CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0533FE38, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0533FE28,?,?,?,?), ref: 0533FE9D
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.490911169.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                                    Similarity
                                                                    • API ID: LongWindow
                                                                    • String ID:
                                                                    • API String ID: 1378638983-0
                                                                    • Opcode ID: afed0bbd7e7387be26cd8368d25257d3604081c00e227fd4d94e0c322aa0a739
                                                                    • Instruction ID: dac0cef0ed393334f8c813c75501f3ae75526b0ea2de645d29515bf21130efb4
                                                                    • Opcode Fuzzy Hash: afed0bbd7e7387be26cd8368d25257d3604081c00e227fd4d94e0c322aa0a739
                                                                    • Instruction Fuzzy Hash: 9411F2B59002499FDB10CF99D485BDEBBF8EB48324F10841AE959A7300C378A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0533DA3C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0533FE28,?,?,?,?), ref: 0533FE9D
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.490911169.0000000005330000.00000040.00000001.sdmp, Offset: 05330000, based on PE: false
                                                                    Similarity
                                                                    • API ID: LongWindow
                                                                    • String ID:
                                                                    • API String ID: 1378638983-0
                                                                    • Opcode ID: 39b31fea82b3b86ba348f82bd7f5ebc4d7e2305c069d2d8723193ff820159509
                                                                    • Instruction ID: 81a82d148b5c62223072458b4d4accd9095d8d445e9884de99608b48c58d6477
                                                                    • Opcode Fuzzy Hash: 39b31fea82b3b86ba348f82bd7f5ebc4d7e2305c069d2d8723193ff820159509
                                                                    • Instruction Fuzzy Hash: DB1103B59006499FDB10CF9AD485BDFBBF8EB48324F10841AE959A7301C3B8A944CFB5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0132D4A0, Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.486151729.000000000132D000.00000040.00000001.sdmp, Offset: 0132D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 458ff5ad5acd716d9d7f70f955a034563dd3054b036f0732e51177b95b30cbea
                                                                    • Instruction ID: 3c3f779da665dbd7a89793945a986ee284b0474afc851ebbeb8057ef9fc941e3
                                                                    • Opcode Fuzzy Hash: 458ff5ad5acd716d9d7f70f955a034563dd3054b036f0732e51177b95b30cbea
                                                                    • Instruction Fuzzy Hash: 792137B1508244DFDB01EF94D8C0B2ABF65FB8832CF34C569E9095B216C776E815CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0133D01C, Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.486187474.000000000133D000.00000040.00000001.sdmp, Offset: 0133D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1f07d7dc59bc9de5c02ad46f9b9911693c3e79f7783cf99505ccefc89c9915cc
                                                                    • Instruction ID: 78a72f9889c493dfb920bb7b4ab8ad8f9f8da7cb6a11e0ebdc0124daac4c2bc4
                                                                    • Opcode Fuzzy Hash: 1f07d7dc59bc9de5c02ad46f9b9911693c3e79f7783cf99505ccefc89c9915cc
                                                                    • Instruction Fuzzy Hash: ED2122B0608244EFCB11CFA4D8C0B2AFB65FBC4B58F60C569E94A4B246C336D806CB61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0133D006, Relevance: .1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.486187474.000000000133D000.00000040.00000001.sdmp, Offset: 0133D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7c86797d81ee7877a3e46fbe50dd1bc68a7df91c060c874a5622f5af06dfe227
                                                                    • Instruction ID: b31a7e3387ed521859cc1ca1a490db4cfc41c0d7c71e74bb49eaded826f52f20
                                                                    • Opcode Fuzzy Hash: 7c86797d81ee7877a3e46fbe50dd1bc68a7df91c060c874a5622f5af06dfe227
                                                                    • Instruction Fuzzy Hash: 9A2150755083809FCB02CF64D994B15BF71EB86714F28C5DAD8498F267C33AD85ACB62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0132D49B, Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.486151729.000000000132D000.00000040.00000001.sdmp, Offset: 0132D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ab4f522c25aa1cbdd320e5f5d9363831d84a4238d435101ec49e5e0208effc36
                                                                    • Instruction ID: 7d395f8b7e9e6cbb0f2acfb29681624e7aae20777aa2d63690e5e2b2041409b4
                                                                    • Opcode Fuzzy Hash: ab4f522c25aa1cbdd320e5f5d9363831d84a4238d435101ec49e5e0208effc36
                                                                    • Instruction Fuzzy Hash: A611B176904280DFDB12DF54D9C4B56BF61FB84328F34C6A9D9050B217C376D45ACBA2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Analysis Process: RegAsm.exe PID: 3136 Parent PID: 904 RegAsm.exeCOMMON

                                                                    Executed Functions

                                                                    Function 013F189D, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 169COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SearchPathW.KERNEL32(?,?,?,?,00000000,00000000), ref: 013F1A4B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.233865033.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: PathSearch
                                                                    • String ID: [hwE$[hwE
                                                                    • API String ID: 2203818243-1796981920
                                                                    • Opcode ID: b76297f492faae1c7a77d68f9e0cb0b45bec7d829107a571a69dba33c72f5374
                                                                    • Instruction ID: dc8db3133c01229c1e78ca12989af615cbbdf9525265693acf149537cc66a45f
                                                                    • Opcode Fuzzy Hash: b76297f492faae1c7a77d68f9e0cb0b45bec7d829107a571a69dba33c72f5374
                                                                    • Instruction Fuzzy Hash: 6B71F171E00219CFDB24CF99D98469EBBF1BF48314F25812DE919AB350DB34A949CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013F18A8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 165COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SearchPathW.KERNEL32(?,?,?,?,00000000,00000000), ref: 013F1A4B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.233865033.00000000013F0000.00000040.00000001.sdmp, Offset: 013F0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: PathSearch
                                                                    • String ID: [hwE$[hwE
                                                                    • API String ID: 2203818243-1796981920
                                                                    • Opcode ID: eb6669f87ec1a4a686aec9872007a725ce42462b53de0f4b9b21b867bc343052
                                                                    • Instruction ID: 254ba9f5df4b08707b9ec68e8cb6325f737c794613ad50c541ae23125d3e18e7
                                                                    • Opcode Fuzzy Hash: eb6669f87ec1a4a686aec9872007a725ce42462b53de0f4b9b21b867bc343052
                                                                    • Instruction Fuzzy Hash: 3671F270E00619CFDB24CF99D98469EBBF1BF48314F25812DE919AB350DB34A949CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Analysis Process: dhcpmon.exe PID: 5844 Parent PID: 3472 dhcpmon.exeCOMMON

                                                                    Executed Functions

                                                                    Function 02540A30, Relevance: .4, Instructions: 441COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.253132779.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c5a306c616eae6901647fb9be3c23f9fed6d6f6fe1c43d24bafc1856efe66c91
                                                                    • Instruction ID: e412082c93f1f12bc073233a0957e8820de8bbb3410ab0ac3fb9ff368c482a71
                                                                    • Opcode Fuzzy Hash: c5a306c616eae6901647fb9be3c23f9fed6d6f6fe1c43d24bafc1856efe66c91
                                                                    • Instruction Fuzzy Hash: 2202AF306006499FCB14DF64C884AAEF7F2FF84308B258569D609AB395DB35EC46CBA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 025405C0, Relevance: .3, Instructions: 303COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.253132779.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 87e553606b11ad5a1e44d6c33b9737f143a40a059630775667dddd7d0cdcd878
                                                                    • Instruction ID: 3b77d145119545b5fe94016a9763b9a5588921ece01756abf18d8131ea450d13
                                                                    • Opcode Fuzzy Hash: 87e553606b11ad5a1e44d6c33b9737f143a40a059630775667dddd7d0cdcd878
                                                                    • Instruction Fuzzy Hash: D8C19034704249DFD718DF25C944A2A7BE2BF88308F218869DA068B3A5DF74ED45CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 025405B5, Relevance: .1, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.253132779.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 069c57987319be659f02a075ff57da49f223fb5a32d78aa01eab83927cc410cf
                                                                    • Instruction ID: eb23be3ec1d97bddcfbbd716018ac82f6c54c58b312e83f11b712e0d81587fd9
                                                                    • Opcode Fuzzy Hash: 069c57987319be659f02a075ff57da49f223fb5a32d78aa01eab83927cc410cf
                                                                    • Instruction Fuzzy Hash: 2031B43070418CABDF14BB68D810B5E7BE6EB8C300F21843AD605A3399DF359C069FA9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 025404B0, Relevance: .1, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.253132779.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ab3297bd01b21ff7880a9ba98d7a07467e5a096ee6e74c95151c6f75637be32b
                                                                    • Instruction ID: 2e86f69cd9ed71e69cfcdb8a49f48e561b0e8b908b8dbda12d75e456d246d3e5
                                                                    • Opcode Fuzzy Hash: ab3297bd01b21ff7880a9ba98d7a07467e5a096ee6e74c95151c6f75637be32b
                                                                    • Instruction Fuzzy Hash: FE21AC317101408FC759EB38D9548AC77E2AFC921832201A8E506CF7B2DF32DC8ACB95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 025404C0, Relevance: .1, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.253132779.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 063510940505d9977fd5ffe835516783b5ab8c76119f033fb4b44fdcfdb77228
                                                                    • Instruction ID: 3a3cec3199c5cdaa9566ca85a010e4ea57c85bd7aff6a043df81eb33e2275af2
                                                                    • Opcode Fuzzy Hash: 063510940505d9977fd5ffe835516783b5ab8c76119f033fb4b44fdcfdb77228
                                                                    • Instruction Fuzzy Hash: 832156757101008FC788EB78D16896D33E2AFC961932204A8E506CF7B2DF32DC8ACB95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02541098, Relevance: .1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.253132779.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ad0ef858333b55ccf12ef9d232c92df9742ad3acb20430fb5ef1963c714652af
                                                                    • Instruction ID: 1fc37f77b545856790dc7f5d34bb64e4fa01690f9240b68d62a748878d37031a
                                                                    • Opcode Fuzzy Hash: ad0ef858333b55ccf12ef9d232c92df9742ad3acb20430fb5ef1963c714652af
                                                                    • Instruction Fuzzy Hash: 3A11E930B041489FC70497B4E454AAD7FB1EF85204F1180FAD649DB791CF349C06CB56
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02541028, Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.253132779.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c2aac08e264c63f738736b03d83b768ef55e4135d341790ac93187cf80a6bd66
                                                                    • Instruction ID: 999ba8507938a5ea349568375348f3ca9c7c55e8668bf6dab49f3ccef36015c4
                                                                    • Opcode Fuzzy Hash: c2aac08e264c63f738736b03d83b768ef55e4135d341790ac93187cf80a6bd66
                                                                    • Instruction Fuzzy Hash: 84F0E23270066C6F972866795C506BF7A9EFBC5228710443DE10AE7744DF74AC0543E8
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02541030, Relevance: .0, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.253132779.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1c0c8ee1decd2f945cdd1d56d57707f9239bcfcbc9692c6da157964fe619e61b
                                                                    • Instruction ID: 2e0b1b52b71f4248d5a58c3c9480823c3ed90fe8a968415f66d9d23f4acb5bba
                                                                    • Opcode Fuzzy Hash: 1c0c8ee1decd2f945cdd1d56d57707f9239bcfcbc9692c6da157964fe619e61b
                                                                    • Instruction Fuzzy Hash: 3EE0E5327042285FC718667A5C5057F76DEEBC5224710443EE10AD7744DE759C0543E5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02540457, Relevance: .0, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.253132779.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7c3739c4a0299534b30a8d1f8bc840ef56a63ba154d43801483d51d73ae3206f
                                                                    • Instruction ID: 951d116120cad07bd593f343c3eb941ea5c681c1e4cd34bd20cfda8fc555b3cf
                                                                    • Opcode Fuzzy Hash: 7c3739c4a0299534b30a8d1f8bc840ef56a63ba154d43801483d51d73ae3206f
                                                                    • Instruction Fuzzy Hash: FEF02B72B0424C6F9B08CFB99C445EABFFCFB49125B50C0A7E108D3150EA308540C758
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02540468, Relevance: .0, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.253132779.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 152b7be2b1638ca423722d3ce3f0068afb0f06d3c0dd1ba138c329f446318935
                                                                    • Instruction ID: b9274472e7c4a9e52630cbbc5c7970f0e206c67e9e69d4da5bda2fc48bb256bb
                                                                    • Opcode Fuzzy Hash: 152b7be2b1638ca423722d3ce3f0068afb0f06d3c0dd1ba138c329f446318935
                                                                    • Instruction Fuzzy Hash: 9CE0ED76704119AF9B08DFA9F8485EBBFFDFB48565B108067E109D2210EB3555418798
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02541145, Relevance: .0, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.253132779.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6d62567e8f84fc28c19fecccc9199714823087da8cc009f639d64536c76c35b3
                                                                    • Instruction ID: 121a4b1996d3a7b812acb7158c3e26b9cfbbcbf16f6a58f1d065b13f87115e59
                                                                    • Opcode Fuzzy Hash: 6d62567e8f84fc28c19fecccc9199714823087da8cc009f639d64536c76c35b3
                                                                    • Instruction Fuzzy Hash: 45E026356009489BC714B364F840A6E738AD74810CF019939D109A7754DF245C890BEA
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02541148, Relevance: .0, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.253132779.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0408ebe62a289b4fa3fadd7cc3cef6492dc56a1040d6f237c3391712c4921c38
                                                                    • Instruction ID: 9cf988d7a6c33cb12fdb8707931a1dc015e2cb75bc3d2170d73bd84a06799c43
                                                                    • Opcode Fuzzy Hash: 0408ebe62a289b4fa3fadd7cc3cef6492dc56a1040d6f237c3391712c4921c38
                                                                    • Instruction Fuzzy Hash: CEE0CD35600548DBC715B774F444A6D739AD74811CF018935D10997754DF245D8D4BDA
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02540FE0, Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.253132779.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 295ab36840055fbbea2df1ac399b7a2eb4aa985ace8ad06e9637f343432db43a
                                                                    • Instruction ID: 4f241692e7f769d17edf59737f12639dda84dd34cf18739df081a2dfd945b1f3
                                                                    • Opcode Fuzzy Hash: 295ab36840055fbbea2df1ac399b7a2eb4aa985ace8ad06e9637f343432db43a
                                                                    • Instruction Fuzzy Hash: 33E0863054C6C49FD7069B24E818A343FA4AB49214F1901A6D149471B7CB28788AD748
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02541095, Relevance: .0, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.253132779.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3994825231a269303c71bdd3dd9fd040b384b4a9f0330ba96eca20b353abfab0
                                                                    • Instruction ID: b3686238c983972cc553515aed078f00c41995e5ba32da4fa867f3311d9f0173
                                                                    • Opcode Fuzzy Hash: 3994825231a269303c71bdd3dd9fd040b384b4a9f0330ba96eca20b353abfab0
                                                                    • Instruction Fuzzy Hash: 54C02231600D18630B3022A97E080BDBB5CB80121A7008125E90CA7200EF00791486EB
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02540FF0, Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.253132779.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9849f871079f0b18bed7370e0c6c978390784ff401d6e6630195adfd70c3ea10
                                                                    • Instruction ID: d06220f9382d71d7066824d04bc1b86bb82a752899bd0262bb71cbcbfb2990e5
                                                                    • Opcode Fuzzy Hash: 9849f871079f0b18bed7370e0c6c978390784ff401d6e6630195adfd70c3ea10
                                                                    • Instruction Fuzzy Hash: 84D0A730200648CFDB04AB60E408E3437A9B748600F014206D10547275CB74B889D784
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02541190, Relevance: .0, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.253132779.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b18766bdbfa25b19a7cc07df555501d7b91c2d042876a54c38d6da14ceab2c24
                                                                    • Instruction ID: f5fee80f39bd008e1b69615c081301f82c1aa0f3d4938eacb1311a78754d4727
                                                                    • Opcode Fuzzy Hash: b18766bdbfa25b19a7cc07df555501d7b91c2d042876a54c38d6da14ceab2c24
                                                                    • Instruction Fuzzy Hash: 2DC08040E0DFC21DF71243741C243346F111F8218CF88A0E5C0C45605395CC5095D72D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions