Play interactive tour

Edit tour

Analysis Report ws8W4yPAvg.exe

Overview

General Information

Sample Name:	ws8W4yPAvg.exe
Analysis ID:	433429
MD5:	4f777ac67c52be4d6a8b6f125bc94661
SHA1:	f4fe647fa467ba0d039f9ca61bc18583734f7b46
SHA256:	d112e19d34e88c040a70367143569c965cb48dbb1fa36579838c51f8ca9ebe7c
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Sigma detected: NanoCore

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Nanocore RAT

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

ws8W4yPAvg.exe (PID: 4088 cmdline: 'C:\Users\user\Desktop\ws8W4yPAvg.exe' MD5: 4F777AC67C52BE4D6A8B6F125BC94661)

schtasks.exe (PID: 5292 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEFD2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 3708 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpFE1B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

ws8W4yPAvg.exe (PID: 3012 cmdline: C:\Users\user\Desktop\ws8W4yPAvg.exe 0 MD5: 4F777AC67C52BE4D6A8B6F125BC94661)

dhcpmon.exe (PID: 3216 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 4F777AC67C52BE4D6A8B6F125BC94661)

dhcpmon.exe (PID: 3528 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 4F777AC67C52BE4D6A8B6F125BC94661)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "c01ec2cb-25ef-4fd8-a41e-f0012551", "Group": "Default", "Domain1": "4.tcp.ngrok.io", "Domain2": "127.0.0.1", "Port": 10877, "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
ws8W4yPAvg.exe	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
ws8W4yPAvg.exe	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
ws8W4yPAvg.exe	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
ws8W4yPAvg.exe	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.223088157.0000000000052000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.223088157.0000000000052000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.223088157.0000000000052000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.464501359.0000000000062000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.464501359.0000000000062000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.464501359.0000000000062000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000008.00000002.239146095.00000000036A1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.239146095.00000000036A1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x49a55:$a: NanoCore 0x49aae:$a: NanoCore 0x49aeb:$a: NanoCore 0x49b64:$a: NanoCore 0x5d20f:$a: NanoCore 0x5d224:$a: NanoCore 0x5d259:$a: NanoCore 0x761db:$a: NanoCore 0x761f0:$a: NanoCore 0x76225:$a: NanoCore 0x49ab7:$b: ClientPlugin 0x49af4:$b: ClientPlugin 0x4a3f2:$b: ClientPlugin 0x4a3ff:$b: ClientPlugin 0x5cfcb:$b: ClientPlugin 0x5cfe6:$b: ClientPlugin 0x5d016:$b: ClientPlugin 0x5d22d:$b: ClientPlugin 0x5d262:$b: ClientPlugin 0x75f97:$b: ClientPlugin 0x75fb2:$b: ClientPlugin
00000008.00000002.238181318.00000000000C2000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000002.238181318.00000000000C2000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.238181318.00000000000C2000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000002.224117894.00000000038B1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.224117894.00000000038B1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x49a55:$a: NanoCore 0x49aae:$a: NanoCore 0x49aeb:$a: NanoCore 0x49b64:$a: NanoCore 0x5d20f:$a: NanoCore 0x5d224:$a: NanoCore 0x5d259:$a: NanoCore 0x761db:$a: NanoCore 0x761f0:$a: NanoCore 0x76225:$a: NanoCore 0x49ab7:$b: ClientPlugin 0x49af4:$b: ClientPlugin 0x4a3f2:$b: ClientPlugin 0x4a3ff:$b: ClientPlugin 0x5cfcb:$b: ClientPlugin 0x5cfe6:$b: ClientPlugin 0x5d016:$b: ClientPlugin 0x5d22d:$b: ClientPlugin 0x5d262:$b: ClientPlugin 0x75f97:$b: ClientPlugin 0x75fb2:$b: ClientPlugin
00000008.00000000.222145161.00000000000C2000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000000.222145161.00000000000C2000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000000.222145161.00000000000C2000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000002.224074695.00000000028B1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.224074695.00000000028B1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2396f:$a: NanoCore 0x239c8:$a: NanoCore 0x23a05:$a: NanoCore 0x23a7e:$a: NanoCore 0x239d1:$b: ClientPlugin 0x23a0e:$b: ClientPlugin 0x2430c:$b: ClientPlugin 0x24319:$b: ClientPlugin 0x1b6cb:$e: KeepAlive 0x23e59:$g: LogClientMessage 0x23dd9:$i: get_Connected 0x159a1:$j: #=q 0x159d1:$j: #=q 0x15a0d:$j: #=q 0x15a35:$j: #=q 0x15a65:$j: #=q 0x15a95:$j: #=q 0x15ac5:$j: #=q 0x15af5:$j: #=q 0x15b11:$j: #=q 0x15b41:$j: #=q
00000005.00000000.209534119.0000000000052000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000000.209534119.0000000000052000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000000.209534119.0000000000052000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000007.00000000.214551753.0000000000392000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000000.214551753.0000000000392000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000000.214551753.0000000000392000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000007.00000002.229264984.00000000029E1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.229264984.00000000029E1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x23ba3:$a: NanoCore 0x23bfc:$a: NanoCore 0x23c39:$a: NanoCore 0x23cb2:$a: NanoCore 0x23c05:$b: ClientPlugin 0x23c42:$b: ClientPlugin 0x24540:$b: ClientPlugin 0x2454d:$b: ClientPlugin 0x1b8ff:$e: KeepAlive 0x2408d:$g: LogClientMessage 0x2400d:$i: get_Connected 0x15bd5:$j: #=q 0x15c05:$j: #=q 0x15c41:$j: #=q 0x15c69:$j: #=q 0x15c99:$j: #=q 0x15cc9:$j: #=q 0x15cf9:$j: #=q 0x15d29:$j: #=q 0x15d45:$j: #=q 0x15d75:$j: #=q
00000000.00000000.198429567.0000000000062000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000000.198429567.0000000000062000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000000.198429567.0000000000062000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000008.00000002.239109730.00000000026A1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.239109730.00000000026A1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x23ba3:$a: NanoCore 0x23bfc:$a: NanoCore 0x23c39:$a: NanoCore 0x23cb2:$a: NanoCore 0x23c05:$b: ClientPlugin 0x23c42:$b: ClientPlugin 0x24540:$b: ClientPlugin 0x2454d:$b: ClientPlugin 0x1b8ff:$e: KeepAlive 0x2408d:$g: LogClientMessage 0x2400d:$i: get_Connected 0x15bd5:$j: #=q 0x15c05:$j: #=q 0x15c41:$j: #=q 0x15c69:$j: #=q 0x15c99:$j: #=q 0x15cc9:$j: #=q 0x15cf9:$j: #=q 0x15d29:$j: #=q 0x15d45:$j: #=q 0x15d75:$j: #=q
00000007.00000002.229298937.00000000039E1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.229298937.00000000039E1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x49a55:$a: NanoCore 0x49aae:$a: NanoCore 0x49aeb:$a: NanoCore 0x49b64:$a: NanoCore 0x5d20f:$a: NanoCore 0x5d224:$a: NanoCore 0x5d259:$a: NanoCore 0x761db:$a: NanoCore 0x761f0:$a: NanoCore 0x76225:$a: NanoCore 0x49ab7:$b: ClientPlugin 0x49af4:$b: ClientPlugin 0x4a3f2:$b: ClientPlugin 0x4a3ff:$b: ClientPlugin 0x5cfcb:$b: ClientPlugin 0x5cfe6:$b: ClientPlugin 0x5d016:$b: ClientPlugin 0x5d22d:$b: ClientPlugin 0x5d262:$b: ClientPlugin 0x75f97:$b: ClientPlugin 0x75fb2:$b: ClientPlugin
00000007.00000002.228024538.0000000000392000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.228024538.0000000000392000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.228024538.0000000000392000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
Process Memory Space: dhcpmon.exe PID: 3528	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe943:$x1: NanoCore.ClientPluginHost 0x1bf4a:$x1: NanoCore.ClientPluginHost 0x21b09:$x1: NanoCore.ClientPluginHost 0x32ea2:$x1: NanoCore.ClientPluginHost 0x46ca3:$x1: NanoCore.ClientPluginHost 0x8855c:$x1: NanoCore.ClientPluginHost 0xedb3:$x2: IClientNetworkHost 0x1bf70:$x2: IClientNetworkHost 0x21b4e:$x2: IClientNetworkHost 0x32ee7:$x2: IClientNetworkHost 0x46d04:$x2: IClientNetworkHost 0x88582:$x2: IClientNetworkHost 0xa25e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4c109:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5a07b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 3528	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 3528	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xc031:$a: NanoCore 0xc0f0:$a: NanoCore 0xe418:$a: NanoCore 0xe4f3:$a: NanoCore 0xe943:$a: NanoCore 0x1be3c:$a: NanoCore 0x1bedd:$a: NanoCore 0x1bf4a:$a: NanoCore 0x1c00b:$a: NanoCore 0x1cedc:$a: NanoCore 0x1cf2f:$a: NanoCore 0x1cf68:$a: NanoCore 0x1cfdb:$a: NanoCore 0x21a83:$a: NanoCore 0x21ab0:$a: NanoCore 0x21b09:$a: NanoCore 0x29318:$a: NanoCore 0x2932b:$a: NanoCore 0x2935d:$a: NanoCore 0x32e1c:$a: NanoCore 0x32e49:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 3216	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf341:$x1: NanoCore.ClientPluginHost 0x21cf2:$x1: NanoCore.ClientPluginHost 0x4a392:$x1: NanoCore.ClientPluginHost 0x663a2:$x1: NanoCore.ClientPluginHost 0x6bf61:$x1: NanoCore.ClientPluginHost 0x7d2e5:$x1: NanoCore.ClientPluginHost 0xf677:$x2: IClientNetworkHost 0x21d53:$x2: IClientNetworkHost 0x4a3b8:$x2: IClientNetworkHost 0x663c8:$x2: IClientNetworkHost 0x6bfa6:$x2: IClientNetworkHost 0x7d32a:$x2: IClientNetworkHost 0xa48d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x27158:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x350ca:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 3216	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 3216	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xc2b9:$a: NanoCore 0xc99b:$a: NanoCore 0xe78c:$a: NanoCore 0xeea9:$a: NanoCore 0xf341:$a: NanoCore 0x19705:$a: NanoCore 0x199e6:$a: NanoCore 0x19a06:$a: NanoCore 0x217f7:$a: NanoCore 0x21813:$a: NanoCore 0x2196e:$a: NanoCore 0x2197d:$a: NanoCore 0x21c56:$a: NanoCore 0x21c82:$a: NanoCore 0x21cf2:$a: NanoCore 0x31734:$a: NanoCore 0x31746:$a: NanoCore 0x31782:$a: NanoCore 0x3d41e:$a: NanoCore 0x3d4a4:$a: NanoCore 0x3d5a9:$a: NanoCore
Process Memory Space: ws8W4yPAvg.exe PID: 3012	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe9b0:$x1: NanoCore.ClientPluginHost 0x118bf:$x1: NanoCore.ClientPluginHost 0x39387:$x1: NanoCore.ClientPluginHost 0x3ef46:$x1: NanoCore.ClientPluginHost 0x502ca:$x1: NanoCore.ClientPluginHost 0x6e5d6:$x1: NanoCore.ClientPluginHost 0xede0:$x2: IClientNetworkHost 0x11920:$x2: IClientNetworkHost 0x393ad:$x2: IClientNetworkHost 0x3ef8b:$x2: IClientNetworkHost 0x5030f:$x2: IClientNetworkHost 0x6e5fc:$x2: IClientNetworkHost 0xa2e5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x16d25:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x24c97:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: ws8W4yPAvg.exe PID: 3012	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: ws8W4yPAvg.exe PID: 3012	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xc01f:$a: NanoCore 0xc06f:$a: NanoCore 0xe4e1:$a: NanoCore 0xe592:$a: NanoCore 0xe9b0:$a: NanoCore 0x113c4:$a: NanoCore 0x113e0:$a: NanoCore 0x1153b:$a: NanoCore 0x1154a:$a: NanoCore 0x11823:$a: NanoCore 0x1184f:$a: NanoCore 0x118bf:$a: NanoCore 0x21301:$a: NanoCore 0x21313:$a: NanoCore 0x2134f:$a: NanoCore 0x39279:$a: NanoCore 0x3931a:$a: NanoCore 0x39387:$a: NanoCore 0x39448:$a: NanoCore 0x3a319:$a: NanoCore 0x3a36c:$a: NanoCore
Process Memory Space: ws8W4yPAvg.exe PID: 4088	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe9b0:$x1: NanoCore.ClientPluginHost 0x2bfc6:$x1: NanoCore.ClientPluginHost 0xede0:$x2: IClientNetworkHost 0x2c027:$x2: IClientNetworkHost 0xa2cf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3142c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3f39e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: ws8W4yPAvg.exe PID: 4088	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: ws8W4yPAvg.exe PID: 4088	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xbffa:$a: NanoCore 0xc06f:$a: NanoCore 0xe4e1:$a: NanoCore 0xe592:$a: NanoCore 0xe9b0:$a: NanoCore 0x2bacb:$a: NanoCore 0x2bae7:$a: NanoCore 0x2bc42:$a: NanoCore 0x2bc51:$a: NanoCore 0x2bf2a:$a: NanoCore 0x2bf56:$a: NanoCore 0x2bfc6:$a: NanoCore 0x3ba08:$a: NanoCore 0x3ba1a:$a: NanoCore 0x3ba56:$a: NanoCore 0x34716b:$a: NanoCore 0x3475d1:$a: NanoCore 0xc608:$b: ClientPlugin 0xe59b:$b: ClientPlugin 0xe9b9:$b: ClientPlugin 0x168d4:$b: ClientPlugin
Click to see the 43 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.0.dhcpmon.exe.c0000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.0.dhcpmon.exe.c0000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
8.0.dhcpmon.exe.c0000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.0.dhcpmon.exe.c0000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.dhcpmon.exe.390000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.dhcpmon.exe.390000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.2.dhcpmon.exe.390000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.dhcpmon.exe.390000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.0.dhcpmon.exe.390000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.0.dhcpmon.exe.390000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.0.dhcpmon.exe.390000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.0.dhcpmon.exe.390000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
8.2.dhcpmon.exe.36eeaac.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
8.2.dhcpmon.exe.36eeaac.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
8.2.dhcpmon.exe.36eeaac.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.ws8W4yPAvg.exe.50000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.ws8W4yPAvg.exe.50000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.0.ws8W4yPAvg.exe.50000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.ws8W4yPAvg.exe.50000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.ws8W4yPAvg.exe.39030d5.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24150:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x2417d:$x2: IClientNetworkHost
5.2.ws8W4yPAvg.exe.39030d5.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24150:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2522b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2416a:$s5: IClientLoggingHost
5.2.ws8W4yPAvg.exe.39030d5.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.dhcpmon.exe.c0000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.dhcpmon.exe.c0000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
8.2.dhcpmon.exe.c0000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.dhcpmon.exe.c0000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
8.2.dhcpmon.exe.36e9c76.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5af:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5dc:$x2: IClientNetworkHost
8.2.dhcpmon.exe.36e9c76.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5af:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e68a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5c9:$s5: IClientLoggingHost
8.2.dhcpmon.exe.36e9c76.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.dhcpmon.exe.36e9c76.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d565:$a: NanoCore 0x2d57a:$a: NanoCore 0x2d5af:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d321:$b: ClientPlugin 0x2d33c:$b: ClientPlugin
5.2.ws8W4yPAvg.exe.38feaac.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28779:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287a6:$x2: IClientNetworkHost
5.2.ws8W4yPAvg.exe.38feaac.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28779:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29854:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28793:$s5: IClientLoggingHost
5.2.ws8W4yPAvg.exe.38feaac.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.ws8W4yPAvg.exe.38feaac.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
5.2.ws8W4yPAvg.exe.38feaac.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
5.2.ws8W4yPAvg.exe.38feaac.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.ws8W4yPAvg.exe.50000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.ws8W4yPAvg.exe.50000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.2.ws8W4yPAvg.exe.50000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.ws8W4yPAvg.exe.50000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.dhcpmon.exe.3a2eaac.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28779:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287a6:$x2: IClientNetworkHost
7.2.dhcpmon.exe.3a2eaac.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28779:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29854:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28793:$s5: IClientLoggingHost
7.2.dhcpmon.exe.3a2eaac.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.dhcpmon.exe.3a29c76.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5af:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5dc:$x2: IClientNetworkHost
7.2.dhcpmon.exe.3a29c76.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5af:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e68a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5c9:$s5: IClientLoggingHost
7.2.dhcpmon.exe.3a29c76.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.dhcpmon.exe.3a29c76.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d565:$a: NanoCore 0x2d57a:$a: NanoCore 0x2d5af:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d321:$b: ClientPlugin 0x2d33c:$b: ClientPlugin
7.2.dhcpmon.exe.2a03dc4.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
7.2.dhcpmon.exe.2a03dc4.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
7.2.dhcpmon.exe.3a2eaac.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
7.2.dhcpmon.exe.3a2eaac.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
7.2.dhcpmon.exe.3a2eaac.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.dhcpmon.exe.36f30d5.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24150:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x2417d:$x2: IClientNetworkHost
8.2.dhcpmon.exe.36f30d5.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24150:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2522b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2416a:$s5: IClientLoggingHost
8.2.dhcpmon.exe.36f30d5.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.dhcpmon.exe.36eeaac.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28779:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287a6:$x2: IClientNetworkHost
8.2.dhcpmon.exe.36eeaac.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28779:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29854:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28793:$s5: IClientLoggingHost
8.2.dhcpmon.exe.36eeaac.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.ws8W4yPAvg.exe.28d3b90.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
5.2.ws8W4yPAvg.exe.28d3b90.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0.2.ws8W4yPAvg.exe.60000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.ws8W4yPAvg.exe.60000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.ws8W4yPAvg.exe.60000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.ws8W4yPAvg.exe.60000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
8.2.dhcpmon.exe.26c3dc4.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
8.2.dhcpmon.exe.26c3dc4.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0.0.ws8W4yPAvg.exe.60000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.0.ws8W4yPAvg.exe.60000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.0.ws8W4yPAvg.exe.60000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.0.ws8W4yPAvg.exe.60000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.dhcpmon.exe.3a330d5.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24150:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x2417d:$x2: IClientNetworkHost
7.2.dhcpmon.exe.3a330d5.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24150:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2522b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2416a:$s5: IClientLoggingHost
7.2.dhcpmon.exe.3a330d5.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.ws8W4yPAvg.exe.38f9c76.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5af:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5dc:$x2: IClientNetworkHost
5.2.ws8W4yPAvg.exe.38f9c76.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5af:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e68a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5c9:$s5: IClientLoggingHost
5.2.ws8W4yPAvg.exe.38f9c76.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.ws8W4yPAvg.exe.38f9c76.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d565:$a: NanoCore 0x2d57a:$a: NanoCore 0x2d5af:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d321:$b: ClientPlugin 0x2d33c:$b: ClientPlugin
Click to see the 72 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\ws8W4yPAvg.exe, ProcessId: 4088, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\ws8W4yPAvg.exe, ProcessId: 4088, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\ws8W4yPAvg.exe, ProcessId: 4088, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\ws8W4yPAvg.exe, ProcessId: 4088, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: ws8W4yPAvg.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7

Found malware configuration

Show sources

Source: 00000008.00000002.239146095.00000000036A1000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "c01ec2cb-25ef-4fd8-a41e-f0012551", "Group": "Default", "Domain1": "4.tcp.ngrok.io", "Domain2": "127.0.0.1", "Port": 10877, "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for domain / URL

Show sources

Source: 4.tcp.ngrok.io	Virustotal: Detection: 12%			Perma Link
Source: 4.tcp.ngrok.io	Virustotal: Detection: 12%			Perma Link

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: ws8W4yPAvg.exe, type: SAMPLE
Source: Yara match	File source: 00000005.00000002.223088157.0000000000052000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.464501359.0000000000062000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.239146095.00000000036A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.238181318.00000000000C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.224117894.00000000038B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.222145161.00000000000C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.224074695.00000000028B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.209534119.0000000000052000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.214551753.0000000000392000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.229264984.00000000029E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.198429567.0000000000062000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.239109730.00000000026A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.229298937.00000000039E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.228024538.0000000000392000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3528, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3216, type: MEMORY
Source: Yara match	File source: Process Memory Space: ws8W4yPAvg.exe PID: 3012, type: MEMORY
Source: Yara match	File source: Process Memory Space: ws8W4yPAvg.exe PID: 4088, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Source: Yara match	File source: 8.0.dhcpmon.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.36eeaac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.ws8W4yPAvg.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ws8W4yPAvg.exe.39030d5.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.36e9c76.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ws8W4yPAvg.exe.38feaac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ws8W4yPAvg.exe.38feaac.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ws8W4yPAvg.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3a2eaac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3a29c76.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3a2eaac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.36f30d5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.36eeaac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ws8W4yPAvg.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.ws8W4yPAvg.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3a330d5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ws8W4yPAvg.exe.38f9c76.2.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: ws8W4yPAvg.exe

Joe Sandbox ML: detected

Source: 5.0.ws8W4yPAvg.exe.50000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.dhcpmon.exe.390000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.0.dhcpmon.exe.c0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.dhcpmon.exe.390000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.2.dhcpmon.exe.c0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.2.ws8W4yPAvg.exe.50000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.2.ws8W4yPAvg.exe.60000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.0.ws8W4yPAvg.exe.60000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: ws8W4yPAvg.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: C:\Users\user\Desktop\ws8W4yPAvg.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49720 -> 3.133.207.110:10877
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49724 -> 3.133.207.110:10877
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49728 -> 3.133.207.110:10877
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49738 -> 3.133.207.110:10877
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49739 -> 3.133.207.110:10877
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49740 -> 3.133.207.110:10877
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49750 -> 3.22.15.135:10877
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49756 -> 3.133.207.110:10877
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49757 -> 3.22.15.135:10877
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49761 -> 3.131.147.49:10877
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49764 -> 3.22.15.135:10877
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49765 -> 3.131.147.49:10877
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49769 -> 3.138.180.119:10877
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49770 -> 3.138.180.119:10877

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: 4.tcp.ngrok.io
Source: Malware configuration extractor	URLs: 127.0.0.1

Source: global traffic	TCP traffic: 192.168.2.3:49720 -> 3.133.207.110:10877
Source: global traffic	TCP traffic: 192.168.2.3:49750 -> 3.22.15.135:10877
Source: global traffic	TCP traffic: 192.168.2.3:49761 -> 3.131.147.49:10877

Source: Joe Sandbox View	IP Address: 3.131.147.49 3.131.147.49
Source: Joe Sandbox View	IP Address: 3.133.207.110 3.133.207.110
Source: Joe Sandbox View	IP Address: 3.22.15.135 3.22.15.135

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: unknown

DNS traffic detected: queries for: 4.tcp.ngrok.io

Source: ws8W4yPAvg.exe, 00000000.00000002.466472701.00000000007EA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: ws8W4yPAvg.exe, 00000005.00000002.224117894.00000000038B1000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: ws8W4yPAvg.exe, type: SAMPLE
Source: Yara match	File source: 00000005.00000002.223088157.0000000000052000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.464501359.0000000000062000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.239146095.00000000036A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.238181318.00000000000C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.224117894.00000000038B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.222145161.00000000000C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.224074695.00000000028B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.209534119.0000000000052000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.214551753.0000000000392000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.229264984.00000000029E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.198429567.0000000000062000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.239109730.00000000026A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.229298937.00000000039E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.228024538.0000000000392000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3528, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3216, type: MEMORY
Source: Yara match	File source: Process Memory Space: ws8W4yPAvg.exe PID: 3012, type: MEMORY
Source: Yara match	File source: Process Memory Space: ws8W4yPAvg.exe PID: 4088, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Source: Yara match	File source: 8.0.dhcpmon.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.36eeaac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.ws8W4yPAvg.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ws8W4yPAvg.exe.39030d5.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.36e9c76.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ws8W4yPAvg.exe.38feaac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ws8W4yPAvg.exe.38feaac.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ws8W4yPAvg.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3a2eaac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3a29c76.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3a2eaac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.36f30d5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.36eeaac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ws8W4yPAvg.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.ws8W4yPAvg.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3a330d5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ws8W4yPAvg.exe.38f9c76.2.raw.unpack, type: UNPACKEDPE

Operating System Destruction:

Protects its processes via BreakOnTermination flag

Show sources

Source: C:\Users\user\Desktop\ws8W4yPAvg.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: ws8W4yPAvg.exe, type: SAMPLE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: ws8W4yPAvg.exe, type: SAMPLE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.223088157.0000000000052000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.223088157.0000000000052000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.464501359.0000000000062000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.464501359.0000000000062000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.239146095.00000000036A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.238181318.00000000000C2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.238181318.00000000000C2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.224117894.00000000038B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000000.222145161.00000000000C2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000000.222145161.00000000000C2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.224074695.00000000028B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000000.209534119.0000000000052000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000000.209534119.0000000000052000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.214551753.0000000000392000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.214551753.0000000000392000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.229264984.00000000029E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000000.198429567.0000000000062000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000000.198429567.0000000000062000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.239109730.00000000026A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.229298937.00000000039E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.228024538.0000000000392000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.228024538.0000000000392000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 3528, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 3528, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 3216, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 3216, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: ws8W4yPAvg.exe PID: 3012, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: ws8W4yPAvg.exe PID: 3012, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: ws8W4yPAvg.exe PID: 4088, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: ws8W4yPAvg.exe PID: 4088, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.dhcpmon.exe.c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.0.dhcpmon.exe.c0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.dhcpmon.exe.36eeaac.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.ws8W4yPAvg.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.ws8W4yPAvg.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.ws8W4yPAvg.exe.39030d5.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.dhcpmon.exe.c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.dhcpmon.exe.c0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.dhcpmon.exe.36e9c76.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.dhcpmon.exe.36e9c76.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.ws8W4yPAvg.exe.38feaac.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.ws8W4yPAvg.exe.38feaac.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.ws8W4yPAvg.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.ws8W4yPAvg.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.dhcpmon.exe.3a2eaac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.3a29c76.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.3a29c76.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.dhcpmon.exe.2a03dc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.3a2eaac.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.dhcpmon.exe.36f30d5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.dhcpmon.exe.36eeaac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.ws8W4yPAvg.exe.28d3b90.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ws8W4yPAvg.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ws8W4yPAvg.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.dhcpmon.exe.26c3dc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.ws8W4yPAvg.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.ws8W4yPAvg.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.dhcpmon.exe.3a330d5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.ws8W4yPAvg.exe.38f9c76.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.ws8W4yPAvg.exe.38f9c76.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Code function: 0_2_0006524A	0_2_0006524A
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Code function: 5_2_0005524A	5_2_0005524A
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Code function: 5_2_00AE2FA8	5_2_00AE2FA8
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Code function: 5_2_00AE23A0	5_2_00AE23A0
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Code function: 5_2_00AE3850	5_2_00AE3850
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Code function: 5_2_00AE306F	5_2_00AE306F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_0039524A	7_2_0039524A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_00DC2FA8	7_2_00DC2FA8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_00DC23A0	7_2_00DC23A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_00DC3850	7_2_00DC3850
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_00DC306F	7_2_00DC306F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_000C524A	8_2_000C524A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_048F2FA8	8_2_048F2FA8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_048F23A0	8_2_048F23A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_048F3850	8_2_048F3850
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_048F32BB	8_2_048F32BB
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_048F306F	8_2_048F306F

Source: ws8W4yPAvg.exe, 00000000.00000002.466472701.00000000007EA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs ws8W4yPAvg.exe
Source: ws8W4yPAvg.exe, 00000005.00000002.223440420.000000000082A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs ws8W4yPAvg.exe
Source: ws8W4yPAvg.exe, 00000005.00000002.224117894.00000000038B1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs ws8W4yPAvg.exe
Source: ws8W4yPAvg.exe, 00000005.00000002.224117894.00000000038B1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs ws8W4yPAvg.exe
Source: ws8W4yPAvg.exe, 00000005.00000002.224117894.00000000038B1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs ws8W4yPAvg.exe
Source: ws8W4yPAvg.exe, 00000005.00000002.224417602.0000000004AA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs ws8W4yPAvg.exe

Source: ws8W4yPAvg.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: ws8W4yPAvg.exe, type: SAMPLE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: ws8W4yPAvg.exe, type: SAMPLE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: ws8W4yPAvg.exe, type: SAMPLE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.223088157.0000000000052000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.223088157.0000000000052000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.464501359.0000000000062000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.464501359.0000000000062000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.239146095.00000000036A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.238181318.00000000000C2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.238181318.00000000000C2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.224117894.00000000038B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000000.222145161.00000000000C2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000000.222145161.00000000000C2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.224074695.00000000028B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000000.209534119.0000000000052000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000000.209534119.0000000000052000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000000.214551753.0000000000392000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000000.214551753.0000000000392000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.229264984.00000000029E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000000.198429567.0000000000062000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000000.198429567.0000000000062000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.239109730.00000000026A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.229298937.00000000039E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.228024538.0000000000392000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.228024538.0000000000392000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 3528, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 3528, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 3216, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 3216, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: ws8W4yPAvg.exe PID: 3012, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: ws8W4yPAvg.exe PID: 3012, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: ws8W4yPAvg.exe PID: 4088, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: ws8W4yPAvg.exe PID: 4088, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.0.dhcpmon.exe.c0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.0.dhcpmon.exe.c0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.0.dhcpmon.exe.c0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.dhcpmon.exe.36eeaac.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.dhcpmon.exe.36eeaac.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.0.ws8W4yPAvg.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.ws8W4yPAvg.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.0.ws8W4yPAvg.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.ws8W4yPAvg.exe.39030d5.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.ws8W4yPAvg.exe.39030d5.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.dhcpmon.exe.c0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.dhcpmon.exe.c0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.dhcpmon.exe.c0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.dhcpmon.exe.36e9c76.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.dhcpmon.exe.36e9c76.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.dhcpmon.exe.36e9c76.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.ws8W4yPAvg.exe.38feaac.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.ws8W4yPAvg.exe.38feaac.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.ws8W4yPAvg.exe.38feaac.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.ws8W4yPAvg.exe.38feaac.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.ws8W4yPAvg.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.ws8W4yPAvg.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.ws8W4yPAvg.exe.50000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.dhcpmon.exe.3a2eaac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.3a2eaac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dhcpmon.exe.3a29c76.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.3a29c76.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dhcpmon.exe.3a29c76.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.dhcpmon.exe.2a03dc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.2a03dc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dhcpmon.exe.3a2eaac.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.3a2eaac.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.dhcpmon.exe.36f30d5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.dhcpmon.exe.36f30d5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.dhcpmon.exe.36eeaac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.dhcpmon.exe.36eeaac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.ws8W4yPAvg.exe.28d3b90.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.ws8W4yPAvg.exe.28d3b90.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ws8W4yPAvg.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.ws8W4yPAvg.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ws8W4yPAvg.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.dhcpmon.exe.26c3dc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.dhcpmon.exe.26c3dc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.ws8W4yPAvg.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.0.ws8W4yPAvg.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.ws8W4yPAvg.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.dhcpmon.exe.3a330d5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.3a330d5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.ws8W4yPAvg.exe.38f9c76.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.ws8W4yPAvg.exe.38f9c76.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.ws8W4yPAvg.exe.38f9c76.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: ws8W4yPAvg.exe	Static PE information: Section: .rsrc ZLIB complexity 1.00012207031
Source: dhcpmon.exe.0.dr	Static PE information: Section: .rsrc ZLIB complexity 1.00012207031

Source: ws8W4yPAvg.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: ws8W4yPAvg.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: ws8W4yPAvg.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: dhcpmon.exe.0.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: dhcpmon.exe.0.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.ws8W4yPAvg.exe.60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.ws8W4yPAvg.exe.60000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.ws8W4yPAvg.exe.60000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 7.2.dhcpmon.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.2.dhcpmon.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 8.2.dhcpmon.exe.c0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 8.2.dhcpmon.exe.c0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: ws8W4yPAvg.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: ws8W4yPAvg.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 8.0.dhcpmon.exe.c0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 8.0.dhcpmon.exe.c0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.ws8W4yPAvg.exe.60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.2.ws8W4yPAvg.exe.60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.0.dhcpmon.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.dhcpmon.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.0.ws8W4yPAvg.exe.60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.ws8W4yPAvg.exe.60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.2.ws8W4yPAvg.exe.50000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.2.ws8W4yPAvg.exe.50000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.0.ws8W4yPAvg.exe.50000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.0.ws8W4yPAvg.exe.50000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/8@14/5

Source: C:\Users\user\Desktop\ws8W4yPAvg.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\ws8W4yPAvg.exe

File created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_01
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5396:120:WilError_01
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{c01ec2cb-25ef-4fd8-a41e-f0012551a6da}

Source: C:\Users\user\Desktop\ws8W4yPAvg.exe

File created: C:\Users\user\AppData\Local\Temp\tmpEFD2.tmp

Jump to behavior

Source: ws8W4yPAvg.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\ws8W4yPAvg.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\ws8W4yPAvg.exe

File read: C:\Users\user\Desktop\ws8W4yPAvg.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ws8W4yPAvg.exe 'C:\Users\user\Desktop\ws8W4yPAvg.exe'
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEFD2.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpFE1B.tmp'
Source: unknown	Process created: C:\Users\user\Desktop\ws8W4yPAvg.exe C:\Users\user\Desktop\ws8W4yPAvg.exe 0
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEFD2.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpFE1B.tmp'	Jump to behavior

Source: C:\Users\user\Desktop\ws8W4yPAvg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\ws8W4yPAvg.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: ws8W4yPAvg.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\ws8W4yPAvg.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: ws8W4yPAvg.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: ws8W4yPAvg.exe, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.0.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.ws8W4yPAvg.exe.60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.ws8W4yPAvg.exe.60000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.ws8W4yPAvg.exe.60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.ws8W4yPAvg.exe.60000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.ws8W4yPAvg.exe.50000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.ws8W4yPAvg.exe.50000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.ws8W4yPAvg.exe.50000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.ws8W4yPAvg.exe.50000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.dhcpmon.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.dhcpmon.exe.390000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.dhcpmon.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.dhcpmon.exe.390000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.dhcpmon.exe.c0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.dhcpmon.exe.c0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.dhcpmon.exe.c0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.dhcpmon.exe.c0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Code function: 0_2_00759D74 push 780075CBh; retf	0_2_00759D79
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Code function: 0_2_007574B8 push ebp; ret	0_2_007574B9
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Code function: 0_2_007574AC push ecx; ret	0_2_007574AD
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Code function: 0_2_007598AB push ecx; retf 0075h	0_2_007598B1

Source: ws8W4yPAvg.exe, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: ws8W4yPAvg.exe, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: dhcpmon.exe.0.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: dhcpmon.exe.0.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 0.2.ws8W4yPAvg.exe.60000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 0.2.ws8W4yPAvg.exe.60000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 0.0.ws8W4yPAvg.exe.60000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 0.0.ws8W4yPAvg.exe.60000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 5.0.ws8W4yPAvg.exe.50000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.0.ws8W4yPAvg.exe.50000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 5.2.ws8W4yPAvg.exe.50000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.2.ws8W4yPAvg.exe.50000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.0.dhcpmon.exe.390000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.0.dhcpmon.exe.390000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.2.dhcpmon.exe.390000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.2.dhcpmon.exe.390000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 8.0.dhcpmon.exe.c0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 8.0.dhcpmon.exe.c0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 8.2.dhcpmon.exe.c0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 8.2.dhcpmon.exe.c0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Source: C:\Users\user\Desktop\ws8W4yPAvg.exe

File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\ws8W4yPAvg.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEFD2.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\ws8W4yPAvg.exe

File opened: C:\Users\user\Desktop\ws8W4yPAvg.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\ws8W4yPAvg.exe

Window / User API: foregroundWindowGot 958

Jump to behavior

Source: C:\Users\user\Desktop\ws8W4yPAvg.exe TID: 3088	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe TID: 3468	Thread sleep time: -560000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe TID: 4608	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 676	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5404	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: ws8W4yPAvg.exe, 00000000.00000003.268517995.0000000000873000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj%

Source: C:\Users\user\Desktop\ws8W4yPAvg.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\ws8W4yPAvg.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEFD2.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\ws8W4yPAvg.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpFE1B.tmp'			Jump to behavior

Source: ws8W4yPAvg.exe, 00000000.00000003.268510228.000000000086B000.00000004.00000001.sdmp	Binary or memory string: Program Manager(
Source: ws8W4yPAvg.exe, 00000000.00000003.244143503.00000000008BA000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: ws8W4yPAvg.exe, 00000000.00000003.407240146.00000000008B9000.00000004.00000001.sdmp	Binary or memory string: Program Managerd
Source: ws8W4yPAvg.exe, 00000000.00000003.244143503.00000000008BA000.00000004.00000001.sdmp	Binary or memory string: Program Managert$
Source: ws8W4yPAvg.exe, 00000000.00000003.417129629.0000000000894000.00000004.00000001.sdmp	Binary or memory string: Program Managerz

Source: C:\Users\user\Desktop\ws8W4yPAvg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: ws8W4yPAvg.exe, type: SAMPLE
Source: Yara match	File source: 00000005.00000002.223088157.0000000000052000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.464501359.0000000000062000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.239146095.00000000036A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.238181318.00000000000C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.224117894.00000000038B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.222145161.00000000000C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.224074695.00000000028B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.209534119.0000000000052000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.214551753.0000000000392000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.229264984.00000000029E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.198429567.0000000000062000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.239109730.00000000026A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.229298937.00000000039E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.228024538.0000000000392000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3528, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3216, type: MEMORY
Source: Yara match	File source: Process Memory Space: ws8W4yPAvg.exe PID: 3012, type: MEMORY
Source: Yara match	File source: Process Memory Space: ws8W4yPAvg.exe PID: 4088, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Source: Yara match	File source: 8.0.dhcpmon.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.36eeaac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.ws8W4yPAvg.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ws8W4yPAvg.exe.39030d5.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.36e9c76.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ws8W4yPAvg.exe.38feaac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ws8W4yPAvg.exe.38feaac.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ws8W4yPAvg.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3a2eaac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3a29c76.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3a2eaac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.36f30d5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.36eeaac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ws8W4yPAvg.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.ws8W4yPAvg.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3a330d5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ws8W4yPAvg.exe.38f9c76.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: ws8W4yPAvg.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: ws8W4yPAvg.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: ws8W4yPAvg.exe, 00000005.00000002.224117894.00000000038B1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000007.00000002.229264984.00000000029E1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000008.00000002.239146095.00000000036A1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: ws8W4yPAvg.exe	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: ws8W4yPAvg.exe, type: SAMPLE
Source: Yara match	File source: 00000005.00000002.223088157.0000000000052000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.464501359.0000000000062000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.239146095.00000000036A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.238181318.00000000000C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.224117894.00000000038B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.222145161.00000000000C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.224074695.00000000028B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.209534119.0000000000052000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.214551753.0000000000392000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.229264984.00000000029E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.198429567.0000000000062000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.239109730.00000000026A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.229298937.00000000039E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.228024538.0000000000392000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3528, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3216, type: MEMORY
Source: Yara match	File source: Process Memory Space: ws8W4yPAvg.exe PID: 3012, type: MEMORY
Source: Yara match	File source: Process Memory Space: ws8W4yPAvg.exe PID: 4088, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Source: Yara match	File source: 8.0.dhcpmon.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.36eeaac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.ws8W4yPAvg.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ws8W4yPAvg.exe.39030d5.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.36e9c76.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ws8W4yPAvg.exe.38feaac.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ws8W4yPAvg.exe.38feaac.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ws8W4yPAvg.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3a2eaac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3a29c76.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3a2eaac.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.36f30d5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.36eeaac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ws8W4yPAvg.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.ws8W4yPAvg.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3a330d5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ws8W4yPAvg.exe.38f9c76.2.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection12	Masquerading2	Input Capture21	Security Software Discovery1	Remote Services	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection12	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Information Discovery2	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing12	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ws8W4yPAvg.exe	100%	Avira	TR/Dropper.MSIL.Gen7
ws8W4yPAvg.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Avira	TR/Dropper.MSIL.Gen7
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.0.ws8W4yPAvg.exe.50000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
7.0.dhcpmon.exe.390000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
8.0.dhcpmon.exe.c0000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
7.2.dhcpmon.exe.390000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
8.2.dhcpmon.exe.c0000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.2.ws8W4yPAvg.exe.50000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
0.2.ws8W4yPAvg.exe.60000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
0.0.ws8W4yPAvg.exe.60000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

Source	Detection	Scanner	Label	Link
4.tcp.ngrok.io	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
4.tcp.ngrok.io	12%	Virustotal		Browse
4.tcp.ngrok.io	0%	Avira URL Cloud	safe
127.0.0.1	0%	Virustotal		Browse
127.0.0.1	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
4.tcp.ngrok.io	3.133.207.110	true	true	12%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
4.tcp.ngrok.io	true	12%, Virustotal, Browse Avira URL Cloud: safe	unknown
127.0.0.1	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
3.131.147.49	unknown	United States	16509	AMAZON-02US	true
3.133.207.110	4.tcp.ngrok.io	United States	16509	AMAZON-02US	true
3.22.15.135	unknown	United States	16509	AMAZON-02US	true

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	433429
Start date:	11.06.2021
Start time:	19:57:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ws8W4yPAvg.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@10/8@14/5
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 189 Number of non-executed functions: 4
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 104.43.139.144, 20.82.210.154, 184.30.20.56, 20.54.26.129, 2.20.142.209, 2.20.142.210, 93.184.221.240, 20.82.209.104, 92.122.213.247, 92.122.213.194, 20.50.102.62 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, wu.ec.azureedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:57:58	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
19:58:01	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\ws8W4yPAvg.exe" s>$(Arg0)
19:58:02	API Interceptor	990x Sleep call for process: ws8W4yPAvg.exe modified
19:58:03	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
3.131.147.49	FiYBg9R8m0.exe	Get hash	malicious	Browse
	ooAUh9ba7E.exe	Get hash	malicious	Browse
	A6FAm1ae1j.exe	Get hash	malicious	Browse
	vZvmgrCXam.exe	Get hash	malicious	Browse
	63C2AB0ECE24B47CDCFE2128789214F87451A3D82D641.exe	Get hash	malicious	Browse
	DC8DDCD4DB035FA647001A01CAB6A2866D092FCAAD182.exe	Get hash	malicious	Browse
	tmkfdBpwAx.exe	Get hash	malicious	Browse
	LGKacQbjeH.exe	Get hash	malicious	Browse
	qiCot2DU55.exe	Get hash	malicious	Browse
	YZJfsPAFBJ.exe	Get hash	malicious	Browse
	T91uHSVq.exe	Get hash	malicious	Browse
	aYqoy7xF7y.exe	Get hash	malicious	Browse
	Krtw4Kl87V.exe	Get hash	malicious	Browse
	YFZX6dTsiT.exe	Get hash	malicious	Browse
	vzcJbGFs.exe	Get hash	malicious	Browse
	rQMm2jZD.exe	Get hash	malicious	Browse
	PsbfBdoToY.exe	Get hash	malicious	Browse
	BcaDguoEzV.exe	Get hash	malicious	Browse
	eSJ6Q8F2.exe	Get hash	malicious	Browse
	BwQRSJm1.exe	Get hash	malicious	Browse
3.133.207.110	FiYBg9R8m0.exe	Get hash	malicious	Browse
	BWAlL8lrQb.exe	Get hash	malicious	Browse
	ooAUh9ba7E.exe	Get hash	malicious	Browse
	A6FAm1ae1j.exe	Get hash	malicious	Browse
	CpOFmSHBGH.exe	Get hash	malicious	Browse
	63C2AB0ECE24B47CDCFE2128789214F87451A3D82D641.exe	Get hash	malicious	Browse
	D3AAB88BB737961C971ED047B4C2D5B640EFF8E678781.exe	Get hash	malicious	Browse
	DC8DDCD4DB035FA647001A01CAB6A2866D092FCAAD182.exe	Get hash	malicious	Browse
	tmkfdBpwAx.exe	Get hash	malicious	Browse
	J6wDHe2QdA.exe	Get hash	malicious	Browse
	LGKacQbjeH.exe	Get hash	malicious	Browse
	qiCot2DU55.exe	Get hash	malicious	Browse
	YZJfsPAFBJ.exe	Get hash	malicious	Browse
	aYqoy7xF7y.exe	Get hash	malicious	Browse
	zOlLBCUG9R.exe	Get hash	malicious	Browse
	YFZX6dTsiT.exe	Get hash	malicious	Browse
	vzcJbGFs.exe	Get hash	malicious	Browse
	rQMm2jZD.exe	Get hash	malicious	Browse
	43SjNv5s.exe	Get hash	malicious	Browse
	mNxVbma4uT.exe	Get hash	malicious	Browse
3.22.15.135	ehDnx4Ke5d.exe	Get hash	malicious	Browse
	BWAlL8lrQb.exe	Get hash	malicious	Browse
	H4Q0I1RIuW.exe	Get hash	malicious	Browse
	ooAUh9ba7E.exe	Get hash	malicious	Browse
	CpOFmSHBGH.exe	Get hash	malicious	Browse
	GBtiwIB30h.exe	Get hash	malicious	Browse
	vZvmgrCXam.exe	Get hash	malicious	Browse
	D3AAB88BB737961C971ED047B4C2D5B640EFF8E678781.exe	Get hash	malicious	Browse
	DC8DDCD4DB035FA647001A01CAB6A2866D092FCAAD182.exe	Get hash	malicious	Browse
	tmkfdBpwAx.exe	Get hash	malicious	Browse
	J6wDHe2QdA.exe	Get hash	malicious	Browse
	LGKacQbjeH.exe	Get hash	malicious	Browse
	qiCot2DU55.exe	Get hash	malicious	Browse
	YZJfsPAFBJ.exe	Get hash	malicious	Browse
	TBjxmaP9.exe	Get hash	malicious	Browse
	Krtw4Kl87V.exe	Get hash	malicious	Browse
	YFZX6dTsiT.exe	Get hash	malicious	Browse
	sz.exe	Get hash	malicious	Browse
	vzcJbGFs.exe	Get hash	malicious	Browse
	mNxVbma4uT.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
4.tcp.ngrok.io	ehDnx4Ke5d.exe	Get hash	malicious	Browse	3.138.180.119
	XQehPgTn35.exe	Get hash	malicious	Browse	3.138.180.119
	FiYBg9R8m0.exe	Get hash	malicious	Browse	3.133.207.110
	BWAlL8lrQb.exe	Get hash	malicious	Browse	3.129.187.220
	0BFE93ABC8B3801B7E906960F6D69CC51088B76544EFC.exe	Get hash	malicious	Browse	3.138.180.119
	H4Q0I1RIuW.exe	Get hash	malicious	Browse	3.129.187.220
	ooAUh9ba7E.exe	Get hash	malicious	Browse	3.133.207.110
	A6FAm1ae1j.exe	Get hash	malicious	Browse	3.133.207.110
	CpOFmSHBGH.exe	Get hash	malicious	Browse	3.133.207.110
	GBtiwIB30h.exe	Get hash	malicious	Browse	3.22.15.135
	vZvmgrCXam.exe	Get hash	malicious	Browse	3.138.180.119
	63C2AB0ECE24B47CDCFE2128789214F87451A3D82D641.exe	Get hash	malicious	Browse	3.136.65.236
	D3AAB88BB737961C971ED047B4C2D5B640EFF8E678781.exe	Get hash	malicious	Browse	3.22.15.135
	DC8DDCD4DB035FA647001A01CAB6A2866D092FCAAD182.exe	Get hash	malicious	Browse	3.129.187.220
	tmkfdBpwAx.exe	Get hash	malicious	Browse	3.131.147.49
	J6wDHe2QdA.exe	Get hash	malicious	Browse	3.136.65.236
	LGKacQbjeH.exe	Get hash	malicious	Browse	3.138.180.119
	qiCot2DU55.exe	Get hash	malicious	Browse	3.136.65.236
	yEh8mVeLA6.exe	Get hash	malicious	Browse	3.136.65.236
	XFdEhEAPeE.exe	Get hash	malicious	Browse	3.136.65.236

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-02US	UOMp9cDcqZ.exe	Get hash	malicious	Browse	52.58.78.16
	OrderKLB210568.exe	Get hash	malicious	Browse	34.215.126.147
	q7jxy6gZMb.exe	Get hash	malicious	Browse	104.192.141.1
	b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba.exe	Get hash	malicious	Browse	52.219.158.14
	8BDBD0yy0q.apk	Get hash	malicious	Browse	52.17.153.103
	8BDBD0yy0q.apk	Get hash	malicious	Browse	13.224.195.88
	ehDnx4Ke5d.exe	Get hash	malicious	Browse	3.22.15.135
	KY4cmAI0jU.exe	Get hash	malicious	Browse	3.34.12.41
	c71fd2gJus.exe	Get hash	malicious	Browse	52.219.64.3
	XQehPgTn35.exe	Get hash	malicious	Browse	3.136.65.236
	E1a92ARmPw.exe	Get hash	malicious	Browse	35.157.179.180
	crt9O3URua.exe	Get hash	malicious	Browse	35.157.179.180
	E1a92ARmPw.exe	Get hash	malicious	Browse	52.218.105.219
	DNPr7t0GMY.exe	Get hash	malicious	Browse	13.59.53.244
	lTAPQJikGw.exe	Get hash	malicious	Browse	99.83.154.118
	SKlGhwkzTi.exe	Get hash	malicious	Browse	44.227.65.245
	SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Get hash	malicious	Browse	13.59.53.244
	Letter 1019.xlsx	Get hash	malicious	Browse	18.140.1.169
	#U260e#Ufe0f Zeppelin.com AudioMessage_259-55.HTM	Get hash	malicious	Browse	143.204.98.37
	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Get hash	malicious	Browse	75.2.26.18
AMAZON-02US	UOMp9cDcqZ.exe	Get hash	malicious	Browse	52.58.78.16
	OrderKLB210568.exe	Get hash	malicious	Browse	34.215.126.147
	q7jxy6gZMb.exe	Get hash	malicious	Browse	104.192.141.1
	b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba.exe	Get hash	malicious	Browse	52.219.158.14
	8BDBD0yy0q.apk	Get hash	malicious	Browse	52.17.153.103
	8BDBD0yy0q.apk	Get hash	malicious	Browse	13.224.195.88
	ehDnx4Ke5d.exe	Get hash	malicious	Browse	3.22.15.135
	KY4cmAI0jU.exe	Get hash	malicious	Browse	3.34.12.41
	c71fd2gJus.exe	Get hash	malicious	Browse	52.219.64.3
	XQehPgTn35.exe	Get hash	malicious	Browse	3.136.65.236
	E1a92ARmPw.exe	Get hash	malicious	Browse	35.157.179.180
	crt9O3URua.exe	Get hash	malicious	Browse	35.157.179.180
	E1a92ARmPw.exe	Get hash	malicious	Browse	52.218.105.219
	DNPr7t0GMY.exe	Get hash	malicious	Browse	13.59.53.244
	lTAPQJikGw.exe	Get hash	malicious	Browse	99.83.154.118
	SKlGhwkzTi.exe	Get hash	malicious	Browse	44.227.65.245
	SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Get hash	malicious	Browse	13.59.53.244
	Letter 1019.xlsx	Get hash	malicious	Browse	18.140.1.169
	#U260e#Ufe0f Zeppelin.com AudioMessage_259-55.HTM	Get hash	malicious	Browse	143.204.98.37
	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Get hash	malicious	Browse	75.2.26.18
AMAZON-02US	UOMp9cDcqZ.exe	Get hash	malicious	Browse	52.58.78.16
	OrderKLB210568.exe	Get hash	malicious	Browse	34.215.126.147
	q7jxy6gZMb.exe	Get hash	malicious	Browse	104.192.141.1
	b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba.exe	Get hash	malicious	Browse	52.219.158.14
	8BDBD0yy0q.apk	Get hash	malicious	Browse	52.17.153.103
	8BDBD0yy0q.apk	Get hash	malicious	Browse	13.224.195.88
	ehDnx4Ke5d.exe	Get hash	malicious	Browse	3.22.15.135
	KY4cmAI0jU.exe	Get hash	malicious	Browse	3.34.12.41
	c71fd2gJus.exe	Get hash	malicious	Browse	52.219.64.3
	XQehPgTn35.exe	Get hash	malicious	Browse	3.136.65.236
	E1a92ARmPw.exe	Get hash	malicious	Browse	35.157.179.180
	crt9O3URua.exe	Get hash	malicious	Browse	35.157.179.180
	E1a92ARmPw.exe	Get hash	malicious	Browse	52.218.105.219
	DNPr7t0GMY.exe	Get hash	malicious	Browse	13.59.53.244
	lTAPQJikGw.exe	Get hash	malicious	Browse	99.83.154.118
	SKlGhwkzTi.exe	Get hash	malicious	Browse	44.227.65.245
	SecuriteInfo.com.Trojan.Packed2.43183.29557.exe	Get hash	malicious	Browse	13.59.53.244
	Letter 1019.xlsx	Get hash	malicious	Browse	18.140.1.169
	#U260e#Ufe0f Zeppelin.com AudioMessage_259-55.HTM	Get hash	malicious	Browse	143.204.98.37
	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Get hash	malicious	Browse	75.2.26.18

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Users\user\Desktop\ws8W4yPAvg.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	207872
Entropy (8bit):	7.449363749668439
Encrypted:	false
SSDEEP:	6144:MLV6Bta6dtJmakIM5A6fA+eXcTTacsRy3Cj+R:MLV6BtpmkxuA+eXsaDCUq
MD5:	4F777AC67C52BE4D6A8B6F125BC94661
SHA1:	F4FE647FA467BA0D039F9CA61BC18583734F7B46
SHA-256:	D112E19D34E88C040A70367143569C965CB48DBB1FA36579838C51F8CA9EBE7C
SHA-512:	55009C93CBEAA16712DA32025E7B6ED97ED4184F8EF044C46C2F6A7B2692733DC46679BD3124CD8F5CA69884D590DD2401469BBBC0A51D82A8E5219A565409CA
Malicious:	true
Yara Hits:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................b........... ........@.. ......................................................................8...W.... ..._........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc...._... ...`..................@..@................t.......H...........T............................................................0..Q........o5........o6....-.&......3+..+.... ....3......1..... 2.... ....3.... ............0..E.......s7....-(&s8....-&&s9....,$&s:........s;.............+.....+.....+.....0..........~....o<.....0..........~....o=.....0..........~....o>.....0..........~....o?.....0..........~....o@.....0.............-.&(A...&+...0..$.......~B........-.(...+.-.&+..B...+.~B....0.............-.&(A...&+...0..

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\ws8W4yPAvg.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\ws8W4yPAvg.exe.log Download File
Process:	C:\Users\user\Desktop\ws8W4yPAvg.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmpEFD2.tmp Download File
Process:	C:\Users\user\Desktop\ws8W4yPAvg.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	5.112502432656558
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0G3xtn:cbk4oL600QydbQxIYODOLedq3rj
MD5:	29AC038EA24283E9A0B7F9AA237F82BA
SHA1:	FA9A6B94A62D82114DC3D3E166752BDCD1CC8585
SHA-256:	DD957BD3A0CCA20FB6AD36B54CEBDC252241F3D770ECB3431C87717B5FE48B7A
SHA-512:	3EC9561C4805E224463AD1824F9AC231A12BC2108C79EF5900E7392B52FBDE1BD43B1E4A762FE9DBDB6F44B1F517FC6C3A2721DCFFAFF3CBD02DAF3F1A54F1A8
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpFE1B.tmp Download File
Process:	C:\Users\user\Desktop\ws8W4yPAvg.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\ws8W4yPAvg.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:3JBI8tn:5BI8
MD5:	9C5F59B284ADF6282C473111B7B221FF
SHA1:	B307A21EDBB27C8C3B7CC0F2BB8020FA61D2E55A
SHA-256:	9CBE8533F0F928F1232F4A1441B49A1D687738826D3057265D174EB300B7FF3D
SHA-512:	01A70199AB09D7CAF3D37662F4193F49923C5991347D002341C1A260C2517886F2867C65DE083D57047941A5D1357017ACCFDC50948CB366688715FFFA6A2AC1
Malicious:	true
Preview:	E...M-.H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Users\user\Desktop\ws8W4yPAvg.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	37
Entropy (8bit):	4.506750662926249
Encrypted:	false
SSDEEP:	3:oNWXp5vSWkczLACn:oNWXpFS8LACn
MD5:	2289D44B878445B8D01E11EA3DC07C63
SHA1:	B229492032E28EF9E89CAAC1B79347DFBC00AB37
SHA-256:	A8B6D4E014D16578BA30B167E59BCA31241E34A19CA6D362E6F21C08B6257FD7
SHA-512:	4C7CC362A46050F0C2B1D41A4C11F5D421E8CCAC425FA83640646960AAFFC3251DA32C8FB8C2524F39BB14CEA8BDD5A87C0E7ADFC77E97217ED8D78EC48C172B
Malicious:	false
Preview:	C:\Users\user\Desktop\ws8W4yPAvg.exe

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.449363749668439
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	ws8W4yPAvg.exe
File size:	207872
MD5:	4f777ac67c52be4d6a8b6f125bc94661
SHA1:	f4fe647fa467ba0d039f9ca61bc18583734f7b46
SHA256:	d112e19d34e88c040a70367143569c965cb48dbb1fa36579838c51f8ca9ebe7c
SHA512:	55009c93cbeaa16712da32025e7b6ed97ed4184f8ef044c46c2f6a7b2692733dc46679bd3124cd8f5ca69884d590dd2401469bbbc0a51d82a8e5219a565409ca
SSDEEP:	6144:MLV6Bta6dtJmakIM5A6fA+eXcTTacsRy3Cj+R:MLV6BtpmkxuA+eXsaDCUq
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................b........... ........@.. .....................................................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x41e792
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:
Time Stamp:	0x54E927A1 [Sun Feb 22 00:49:37 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e738	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x22000	0x15fc0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x20000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1c798	0x1c800	False	0.594503837719	data	6.59804227232	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.reloc	0x20000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x22000	0x15fc0	0x16000	False	1.00012207031	data	7.99764484035	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_RCDATA	0x22058	0x15f68	TIM image, (53542,20879)

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/11/21-19:58:04.588686	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49720	10877	192.168.2.3	3.133.207.110
06/11/21-19:58:09.044779	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49724	10877	192.168.2.3	3.133.207.110
06/11/21-19:58:14.567289	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49728	10877	192.168.2.3	3.133.207.110
06/11/21-19:58:34.714536	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49738	10877	192.168.2.3	3.133.207.110
06/11/21-19:58:39.400073	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49739	10877	192.168.2.3	3.133.207.110
06/11/21-19:58:44.481466	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49740	10877	192.168.2.3	3.133.207.110
06/11/21-19:59:04.476577	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49750	10877	192.168.2.3	3.22.15.135
06/11/21-19:59:08.898642	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49756	10877	192.168.2.3	3.133.207.110
06/11/21-19:59:14.004266	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49757	10877	192.168.2.3	3.22.15.135
06/11/21-19:59:34.725309	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49761	10877	192.168.2.3	3.131.147.49
06/11/21-19:59:39.481808	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49764	10877	192.168.2.3	3.22.15.135
06/11/21-19:59:44.243284	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49765	10877	192.168.2.3	3.131.147.49
06/11/21-20:00:03.840152	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49769	10877	192.168.2.3	3.138.180.119
06/11/21-20:00:08.194247	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49770	10877	192.168.2.3	3.138.180.119

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 11, 2021 19:58:04.403009892 CEST	49720	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:04.545111895 CEST	10877	49720	3.133.207.110	192.168.2.3
Jun 11, 2021 19:58:04.545603037 CEST	49720	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:04.588685989 CEST	49720	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:04.685373068 CEST	10877	49720	3.133.207.110	192.168.2.3
Jun 11, 2021 19:58:04.685549974 CEST	49720	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:04.686511993 CEST	49720	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:04.827195883 CEST	10877	49720	3.133.207.110	192.168.2.3
Jun 11, 2021 19:58:08.902681112 CEST	49724	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:09.043320894 CEST	10877	49724	3.133.207.110	192.168.2.3
Jun 11, 2021 19:58:09.044454098 CEST	49724	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:09.044779062 CEST	49724	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:09.183835030 CEST	10877	49724	3.133.207.110	192.168.2.3
Jun 11, 2021 19:58:09.183923960 CEST	10877	49724	3.133.207.110	192.168.2.3
Jun 11, 2021 19:58:09.183989048 CEST	49724	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:09.184094906 CEST	49724	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:09.323215008 CEST	10877	49724	3.133.207.110	192.168.2.3
Jun 11, 2021 19:58:14.426196098 CEST	49728	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:14.566521883 CEST	10877	49728	3.133.207.110	192.168.2.3
Jun 11, 2021 19:58:14.566668987 CEST	49728	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:14.567289114 CEST	49728	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:14.705598116 CEST	10877	49728	3.133.207.110	192.168.2.3
Jun 11, 2021 19:58:14.705689907 CEST	49728	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:14.711880922 CEST	49728	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:14.846218109 CEST	10877	49728	3.133.207.110	192.168.2.3
Jun 11, 2021 19:58:34.573154926 CEST	49738	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:34.713946104 CEST	10877	49738	3.133.207.110	192.168.2.3
Jun 11, 2021 19:58:34.714077950 CEST	49738	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:34.714535952 CEST	49738	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:34.855199099 CEST	10877	49738	3.133.207.110	192.168.2.3
Jun 11, 2021 19:58:34.855495930 CEST	10877	49738	3.133.207.110	192.168.2.3
Jun 11, 2021 19:58:34.858256102 CEST	49738	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:34.858376026 CEST	49738	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:34.997383118 CEST	10877	49738	3.133.207.110	192.168.2.3
Jun 11, 2021 19:58:39.260561943 CEST	49739	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:39.399466038 CEST	10877	49739	3.133.207.110	192.168.2.3
Jun 11, 2021 19:58:39.399610996 CEST	49739	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:39.400073051 CEST	49739	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:39.538490057 CEST	10877	49739	3.133.207.110	192.168.2.3
Jun 11, 2021 19:58:39.538610935 CEST	49739	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:39.538718939 CEST	49739	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:39.680330038 CEST	10877	49739	3.133.207.110	192.168.2.3
Jun 11, 2021 19:58:44.340651035 CEST	49740	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:44.480854034 CEST	10877	49740	3.133.207.110	192.168.2.3
Jun 11, 2021 19:58:44.481008053 CEST	49740	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:44.481466055 CEST	49740	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:44.620685101 CEST	10877	49740	3.133.207.110	192.168.2.3
Jun 11, 2021 19:58:44.620735884 CEST	10877	49740	3.133.207.110	192.168.2.3
Jun 11, 2021 19:58:44.620831966 CEST	49740	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:44.620964050 CEST	49740	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:58:44.763111115 CEST	10877	49740	3.133.207.110	192.168.2.3
Jun 11, 2021 19:59:03.995105028 CEST	49750	10877	192.168.2.3	3.22.15.135
Jun 11, 2021 19:59:04.134140968 CEST	10877	49750	3.22.15.135	192.168.2.3
Jun 11, 2021 19:59:04.134345055 CEST	49750	10877	192.168.2.3	3.22.15.135
Jun 11, 2021 19:59:04.273701906 CEST	10877	49750	3.22.15.135	192.168.2.3
Jun 11, 2021 19:59:04.273895025 CEST	49750	10877	192.168.2.3	3.22.15.135
Jun 11, 2021 19:59:04.476577044 CEST	49750	10877	192.168.2.3	3.22.15.135
Jun 11, 2021 19:59:04.476900101 CEST	49750	10877	192.168.2.3	3.22.15.135
Jun 11, 2021 19:59:04.615555048 CEST	10877	49750	3.22.15.135	192.168.2.3
Jun 11, 2021 19:59:08.757270098 CEST	49756	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:59:08.898076057 CEST	10877	49756	3.133.207.110	192.168.2.3
Jun 11, 2021 19:59:08.898200035 CEST	49756	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:59:08.898642063 CEST	49756	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:59:09.037270069 CEST	10877	49756	3.133.207.110	192.168.2.3
Jun 11, 2021 19:59:09.037298918 CEST	10877	49756	3.133.207.110	192.168.2.3
Jun 11, 2021 19:59:09.037435055 CEST	49756	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:59:09.037508965 CEST	49756	10877	192.168.2.3	3.133.207.110
Jun 11, 2021 19:59:09.176383972 CEST	10877	49756	3.133.207.110	192.168.2.3
Jun 11, 2021 19:59:13.806499004 CEST	49757	10877	192.168.2.3	3.22.15.135
Jun 11, 2021 19:59:13.946713924 CEST	10877	49757	3.22.15.135	192.168.2.3
Jun 11, 2021 19:59:13.946926117 CEST	49757	10877	192.168.2.3	3.22.15.135
Jun 11, 2021 19:59:14.004266024 CEST	49757	10877	192.168.2.3	3.22.15.135
Jun 11, 2021 19:59:14.085984945 CEST	10877	49757	3.22.15.135	192.168.2.3
Jun 11, 2021 19:59:14.086097956 CEST	49757	10877	192.168.2.3	3.22.15.135
Jun 11, 2021 19:59:14.086210966 CEST	49757	10877	192.168.2.3	3.22.15.135
Jun 11, 2021 19:59:14.225075960 CEST	10877	49757	3.22.15.135	192.168.2.3
Jun 11, 2021 19:59:34.582214117 CEST	49761	10877	192.168.2.3	3.131.147.49
Jun 11, 2021 19:59:34.723385096 CEST	10877	49761	3.131.147.49	192.168.2.3
Jun 11, 2021 19:59:34.724436998 CEST	49761	10877	192.168.2.3	3.131.147.49
Jun 11, 2021 19:59:34.725308895 CEST	49761	10877	192.168.2.3	3.131.147.49
Jun 11, 2021 19:59:34.864056110 CEST	10877	49761	3.131.147.49	192.168.2.3
Jun 11, 2021 19:59:34.864510059 CEST	10877	49761	3.131.147.49	192.168.2.3
Jun 11, 2021 19:59:34.864751101 CEST	49761	10877	192.168.2.3	3.131.147.49
Jun 11, 2021 19:59:34.864793062 CEST	49761	10877	192.168.2.3	3.131.147.49
Jun 11, 2021 19:59:35.005775928 CEST	10877	49761	3.131.147.49	192.168.2.3
Jun 11, 2021 19:59:39.338007927 CEST	49764	10877	192.168.2.3	3.22.15.135
Jun 11, 2021 19:59:39.477766991 CEST	10877	49764	3.22.15.135	192.168.2.3
Jun 11, 2021 19:59:39.481096983 CEST	49764	10877	192.168.2.3	3.22.15.135
Jun 11, 2021 19:59:39.481807947 CEST	49764	10877	192.168.2.3	3.22.15.135
Jun 11, 2021 19:59:39.620954990 CEST	10877	49764	3.22.15.135	192.168.2.3
Jun 11, 2021 19:59:39.621108055 CEST	49764	10877	192.168.2.3	3.22.15.135
Jun 11, 2021 19:59:39.624483109 CEST	49764	10877	192.168.2.3	3.22.15.135
Jun 11, 2021 19:59:39.760782003 CEST	10877	49764	3.22.15.135	192.168.2.3
Jun 11, 2021 19:59:44.102575064 CEST	49765	10877	192.168.2.3	3.131.147.49
Jun 11, 2021 19:59:44.241961956 CEST	10877	49765	3.131.147.49	192.168.2.3
Jun 11, 2021 19:59:44.242136955 CEST	49765	10877	192.168.2.3	3.131.147.49
Jun 11, 2021 19:59:44.243283987 CEST	49765	10877	192.168.2.3	3.131.147.49
Jun 11, 2021 19:59:44.384069920 CEST	10877	49765	3.131.147.49	192.168.2.3
Jun 11, 2021 19:59:44.384316921 CEST	49765	10877	192.168.2.3	3.131.147.49
Jun 11, 2021 19:59:44.384653091 CEST	49765	10877	192.168.2.3	3.131.147.49
Jun 11, 2021 19:59:44.523664951 CEST	10877	49765	3.131.147.49	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 11, 2021 19:57:50.179717064 CEST	64185	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:57:50.229897976 CEST	53	64185	8.8.8.8	192.168.2.3
Jun 11, 2021 19:57:51.300148964 CEST	65110	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:57:51.353375912 CEST	53	65110	8.8.8.8	192.168.2.3
Jun 11, 2021 19:57:52.745112896 CEST	58361	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:57:52.795526028 CEST	53	58361	8.8.8.8	192.168.2.3
Jun 11, 2021 19:57:53.993895054 CEST	63492	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:57:54.047333956 CEST	53	63492	8.8.8.8	192.168.2.3
Jun 11, 2021 19:57:55.007006884 CEST	60831	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:57:55.060143948 CEST	53	60831	8.8.8.8	192.168.2.3
Jun 11, 2021 19:57:56.102796078 CEST	60100	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:57:56.155767918 CEST	53	60100	8.8.8.8	192.168.2.3
Jun 11, 2021 19:57:56.974694967 CEST	53195	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:57:57.024892092 CEST	53	53195	8.8.8.8	192.168.2.3
Jun 11, 2021 19:57:59.264272928 CEST	50141	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:57:59.314898014 CEST	53	50141	8.8.8.8	192.168.2.3
Jun 11, 2021 19:58:00.971560001 CEST	53023	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:58:01.023175955 CEST	53	53023	8.8.8.8	192.168.2.3
Jun 11, 2021 19:58:02.225924969 CEST	49563	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:58:02.276540041 CEST	53	49563	8.8.8.8	192.168.2.3
Jun 11, 2021 19:58:03.199132919 CEST	51352	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:58:03.257730961 CEST	53	51352	8.8.8.8	192.168.2.3
Jun 11, 2021 19:58:04.158620119 CEST	59349	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:58:04.217259884 CEST	53	59349	8.8.8.8	192.168.2.3
Jun 11, 2021 19:58:04.269948006 CEST	57084	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:58:04.333017111 CEST	53	57084	8.8.8.8	192.168.2.3
Jun 11, 2021 19:58:05.046550989 CEST	58823	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:58:05.105165005 CEST	53	58823	8.8.8.8	192.168.2.3
Jun 11, 2021 19:58:05.966762066 CEST	57568	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:58:06.018678904 CEST	53	57568	8.8.8.8	192.168.2.3
Jun 11, 2021 19:58:08.141032934 CEST	50540	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:58:08.194413900 CEST	53	50540	8.8.8.8	192.168.2.3
Jun 11, 2021 19:58:08.838542938 CEST	54366	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:58:08.899372101 CEST	53	54366	8.8.8.8	192.168.2.3
Jun 11, 2021 19:58:09.029974937 CEST	53034	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:58:09.082875967 CEST	53	53034	8.8.8.8	192.168.2.3
Jun 11, 2021 19:58:10.126291990 CEST	57762	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:58:10.177953005 CEST	53	57762	8.8.8.8	192.168.2.3
Jun 11, 2021 19:58:11.453758955 CEST	55435	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:58:11.503988981 CEST	53	55435	8.8.8.8	192.168.2.3
Jun 11, 2021 19:58:14.362339973 CEST	50713	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:58:14.423520088 CEST	53	50713	8.8.8.8	192.168.2.3
Jun 11, 2021 19:58:23.629620075 CEST	56132	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:58:23.688745975 CEST	53	56132	8.8.8.8	192.168.2.3
Jun 11, 2021 19:58:27.656894922 CEST	58987	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:58:27.720432043 CEST	53	58987	8.8.8.8	192.168.2.3
Jun 11, 2021 19:58:34.513066053 CEST	56579	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:58:34.571826935 CEST	53	56579	8.8.8.8	192.168.2.3
Jun 11, 2021 19:58:39.199907064 CEST	60633	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:58:39.258991003 CEST	53	60633	8.8.8.8	192.168.2.3
Jun 11, 2021 19:58:44.280694962 CEST	61292	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:58:44.339658976 CEST	53	61292	8.8.8.8	192.168.2.3
Jun 11, 2021 19:58:45.158186913 CEST	63619	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:58:45.230710983 CEST	53	63619	8.8.8.8	192.168.2.3
Jun 11, 2021 19:58:47.032584906 CEST	64938	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:58:47.092215061 CEST	53	64938	8.8.8.8	192.168.2.3
Jun 11, 2021 19:58:47.190593958 CEST	61946	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:58:47.250890017 CEST	53	61946	8.8.8.8	192.168.2.3
Jun 11, 2021 19:59:00.615561008 CEST	64910	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:59:00.688441038 CEST	53	64910	8.8.8.8	192.168.2.3
Jun 11, 2021 19:59:03.929529905 CEST	52123	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:59:03.993848085 CEST	53	52123	8.8.8.8	192.168.2.3
Jun 11, 2021 19:59:07.549428940 CEST	56130	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:59:07.610183001 CEST	53	56130	8.8.8.8	192.168.2.3
Jun 11, 2021 19:59:08.695753098 CEST	56338	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:59:08.755603075 CEST	53	56338	8.8.8.8	192.168.2.3
Jun 11, 2021 19:59:13.745275021 CEST	59420	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:59:13.804868937 CEST	53	59420	8.8.8.8	192.168.2.3
Jun 11, 2021 19:59:34.521006107 CEST	58784	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:59:34.579324961 CEST	53	58784	8.8.8.8	192.168.2.3
Jun 11, 2021 19:59:35.705945015 CEST	63978	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:59:35.774312973 CEST	53	63978	8.8.8.8	192.168.2.3
Jun 11, 2021 19:59:36.869941950 CEST	62938	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:59:36.937087059 CEST	53	62938	8.8.8.8	192.168.2.3
Jun 11, 2021 19:59:39.277440071 CEST	55708	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:59:39.336503029 CEST	53	55708	8.8.8.8	192.168.2.3
Jun 11, 2021 19:59:44.040237904 CEST	56803	53	192.168.2.3	8.8.8.8
Jun 11, 2021 19:59:44.100423098 CEST	53	56803	8.8.8.8	192.168.2.3
Jun 11, 2021 20:00:03.633408070 CEST	57145	53	192.168.2.3	8.8.8.8
Jun 11, 2021 20:00:03.696804047 CEST	53	57145	8.8.8.8	192.168.2.3
Jun 11, 2021 20:00:07.992259026 CEST	55359	53	192.168.2.3	8.8.8.8
Jun 11, 2021 20:00:08.053497076 CEST	53	55359	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 11, 2021 19:58:04.269948006 CEST	192.168.2.3	8.8.8.8	0x63cf	Standard query (0)	4.tcp.ngrok.io	A (IP address)	IN (0x0001)
Jun 11, 2021 19:58:08.838542938 CEST	192.168.2.3	8.8.8.8	0x7f34	Standard query (0)	4.tcp.ngrok.io	A (IP address)	IN (0x0001)
Jun 11, 2021 19:58:14.362339973 CEST	192.168.2.3	8.8.8.8	0xcbc1	Standard query (0)	4.tcp.ngrok.io	A (IP address)	IN (0x0001)
Jun 11, 2021 19:58:34.513066053 CEST	192.168.2.3	8.8.8.8	0xeeb3	Standard query (0)	4.tcp.ngrok.io	A (IP address)	IN (0x0001)
Jun 11, 2021 19:58:39.199907064 CEST	192.168.2.3	8.8.8.8	0xc08f	Standard query (0)	4.tcp.ngrok.io	A (IP address)	IN (0x0001)
Jun 11, 2021 19:58:44.280694962 CEST	192.168.2.3	8.8.8.8	0xc847	Standard query (0)	4.tcp.ngrok.io	A (IP address)	IN (0x0001)
Jun 11, 2021 19:59:03.929529905 CEST	192.168.2.3	8.8.8.8	0x4f2a	Standard query (0)	4.tcp.ngrok.io	A (IP address)	IN (0x0001)
Jun 11, 2021 19:59:08.695753098 CEST	192.168.2.3	8.8.8.8	0xdc18	Standard query (0)	4.tcp.ngrok.io	A (IP address)	IN (0x0001)
Jun 11, 2021 19:59:13.745275021 CEST	192.168.2.3	8.8.8.8	0x61cb	Standard query (0)	4.tcp.ngrok.io	A (IP address)	IN (0x0001)
Jun 11, 2021 19:59:34.521006107 CEST	192.168.2.3	8.8.8.8	0x3add	Standard query (0)	4.tcp.ngrok.io	A (IP address)	IN (0x0001)
Jun 11, 2021 19:59:39.277440071 CEST	192.168.2.3	8.8.8.8	0x1a22	Standard query (0)	4.tcp.ngrok.io	A (IP address)	IN (0x0001)
Jun 11, 2021 19:59:44.040237904 CEST	192.168.2.3	8.8.8.8	0x2764	Standard query (0)	4.tcp.ngrok.io	A (IP address)	IN (0x0001)
Jun 11, 2021 20:00:03.633408070 CEST	192.168.2.3	8.8.8.8	0xfc99	Standard query (0)	4.tcp.ngrok.io	A (IP address)	IN (0x0001)
Jun 11, 2021 20:00:07.992259026 CEST	192.168.2.3	8.8.8.8	0xac89	Standard query (0)	4.tcp.ngrok.io	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jun 11, 2021 19:58:04.333017111 CEST	8.8.8.8	192.168.2.3	0x63cf	No error (0)	4.tcp.ngrok.io	3.133.207.110	A (IP address)	IN (0x0001)
Jun 11, 2021 19:58:08.899372101 CEST	8.8.8.8	192.168.2.3	0x7f34	No error (0)	4.tcp.ngrok.io	3.133.207.110	A (IP address)	IN (0x0001)
Jun 11, 2021 19:58:14.423520088 CEST	8.8.8.8	192.168.2.3	0xcbc1	No error (0)	4.tcp.ngrok.io	3.133.207.110	A (IP address)	IN (0x0001)
Jun 11, 2021 19:58:34.571826935 CEST	8.8.8.8	192.168.2.3	0xeeb3	No error (0)	4.tcp.ngrok.io	3.133.207.110	A (IP address)	IN (0x0001)
Jun 11, 2021 19:58:39.258991003 CEST	8.8.8.8	192.168.2.3	0xc08f	No error (0)	4.tcp.ngrok.io	3.133.207.110	A (IP address)	IN (0x0001)
Jun 11, 2021 19:58:44.339658976 CEST	8.8.8.8	192.168.2.3	0xc847	No error (0)	4.tcp.ngrok.io	3.133.207.110	A (IP address)	IN (0x0001)
Jun 11, 2021 19:59:03.993848085 CEST	8.8.8.8	192.168.2.3	0x4f2a	No error (0)	4.tcp.ngrok.io	3.22.15.135	A (IP address)	IN (0x0001)
Jun 11, 2021 19:59:08.755603075 CEST	8.8.8.8	192.168.2.3	0xdc18	No error (0)	4.tcp.ngrok.io	3.133.207.110	A (IP address)	IN (0x0001)
Jun 11, 2021 19:59:13.804868937 CEST	8.8.8.8	192.168.2.3	0x61cb	No error (0)	4.tcp.ngrok.io	3.22.15.135	A (IP address)	IN (0x0001)
Jun 11, 2021 19:59:34.579324961 CEST	8.8.8.8	192.168.2.3	0x3add	No error (0)	4.tcp.ngrok.io	3.131.147.49	A (IP address)	IN (0x0001)
Jun 11, 2021 19:59:39.336503029 CEST	8.8.8.8	192.168.2.3	0x1a22	No error (0)	4.tcp.ngrok.io	3.22.15.135	A (IP address)	IN (0x0001)
Jun 11, 2021 19:59:44.100423098 CEST	8.8.8.8	192.168.2.3	0x2764	No error (0)	4.tcp.ngrok.io	3.131.147.49	A (IP address)	IN (0x0001)
Jun 11, 2021 20:00:03.696804047 CEST	8.8.8.8	192.168.2.3	0xfc99	No error (0)	4.tcp.ngrok.io	3.138.180.119	A (IP address)	IN (0x0001)
Jun 11, 2021 20:00:08.053497076 CEST	8.8.8.8	192.168.2.3	0xac89	No error (0)	4.tcp.ngrok.io	3.138.180.119	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ws8W4yPAvg.exe PID: 4088 Parent PID: 5676

General

Start time:	19:57:56
Start date:	11/06/2021
Path:	C:\Users\user\Desktop\ws8W4yPAvg.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ws8W4yPAvg.exe'
Imagebase:	0x60000
File size:	207872 bytes
MD5 hash:	4F777AC67C52BE4D6A8B6F125BC94661
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.464501359.0000000000062000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.464501359.0000000000062000.00000002.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.464501359.0000000000062000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000000.198429567.0000000000062000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000000.198429567.0000000000062000.00000002.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000000.198429567.0000000000062000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 5292 Parent PID: 4088

General

Start time:	19:57:58
Start date:	11/06/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEFD2.tmp'
Imagebase:	0x8d0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6096 Parent PID: 5292

General

Start time:	19:58:00
Start date:	11/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 3708 Parent PID: 4088

General

Start time:	19:58:01
Start date:	11/06/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpFE1B.tmp'
Imagebase:	0x8d0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: ws8W4yPAvg.exe PID: 3012 Parent PID: 528

General

Start time:	19:58:01
Start date:	11/06/2021
Path:	C:\Users\user\Desktop\ws8W4yPAvg.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\ws8W4yPAvg.exe 0
Imagebase:	0x50000
File size:	207872 bytes
MD5 hash:	4F777AC67C52BE4D6A8B6F125BC94661
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.223088157.0000000000052000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.223088157.0000000000052000.00000002.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.223088157.0000000000052000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.224117894.00000000038B1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.224117894.00000000038B1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.224074695.00000000028B1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.224074695.00000000028B1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.209534119.0000000000052000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.209534119.0000000000052000.00000002.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000000.209534119.0000000000052000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 5396 Parent PID: 3708

General

Start time:	19:58:02
Start date:	11/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: dhcpmon.exe PID: 3216 Parent PID: 528

General

Start time:	19:58:03
Start date:	11/06/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0x390000
File size:	207872 bytes
MD5 hash:	4F777AC67C52BE4D6A8B6F125BC94661
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000000.214551753.0000000000392000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000000.214551753.0000000000392000.00000002.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000000.214551753.0000000000392000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.229264984.00000000029E1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.229264984.00000000029E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.229298937.00000000039E1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.229298937.00000000039E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.228024538.0000000000392000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.228024538.0000000000392000.00000002.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.228024538.0000000000392000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 3528 Parent PID: 3388

General

Start time:	19:58:07
Start date:	11/06/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0xc0000
File size:	207872 bytes
MD5 hash:	4F777AC67C52BE4D6A8B6F125BC94661
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.239146095.00000000036A1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000002.239146095.00000000036A1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.238181318.00000000000C2000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.238181318.00000000000C2000.00000002.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000002.238181318.00000000000C2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000000.222145161.00000000000C2000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000000.222145161.00000000000C2000.00000002.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000000.222145161.00000000000C2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.239109730.00000000026A1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000002.239109730.00000000026A1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: ws8W4yPAvg.exe PID: 4088 Parent PID: 5676 ws8W4yPAvg.exeCOMMON

Executed Functions

Function 0074AA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0074AAB1

Memory Dump Source

Source File: 00000000.00000002.465760966.000000000074A000.00000040.00000001.sdmp, Offset: 0074A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8628ba036d763a22bbd612b81f703372b4b90238338d4233b14ecc56d2f169c7
Instruction ID: b1226ccd2c00879fb8e39153f62eb8504efe236a0fb72c2e0fbf9e5d8605fa94
Opcode Fuzzy Hash: 8628ba036d763a22bbd612b81f703372b4b90238338d4233b14ecc56d2f169c7
Instruction Fuzzy Hash: 7631B472544384AFE7228B25CC45F67BFACEF16710F08859BED819B152D364A849CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0074AAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,524E7011,00000000,00000000,00000000,00000000), ref: 0074ABB4

Memory Dump Source

Source File: 00000000.00000002.465760966.000000000074A000.00000040.00000001.sdmp, Offset: 0074A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 34962e8c9d4c31643afe61e439579339bfd26e93e4f9c767718aeb22c510c484
Instruction ID: bc6a11b753526f461effad5729a6f9b8f68ad241c86fb33b138916b9b02f2374
Opcode Fuzzy Hash: 34962e8c9d4c31643afe61e439579339bfd26e93e4f9c767718aeb22c510c484
Instruction Fuzzy Hash: 08319375109384AFE722CF25CC44F52BFA8EF06310F18849AE9858B252D364E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0074AF50, Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 0074AFEA

Memory Dump Source

Source File: 00000000.00000002.465760966.000000000074A000.00000040.00000001.sdmp, Offset: 0074A000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 52cbbf2fe2fa9426377506fd5422e143281dcf652633079b48737a7c74f260a6
Instruction ID: 9947dbd1ed11bfae2dc33994e76019824c7717369050f68ae74f62158f5b015a
Opcode Fuzzy Hash: 52cbbf2fe2fa9426377506fd5422e143281dcf652633079b48737a7c74f260a6
Instruction Fuzzy Hash: C031827544E3C06FD7138B258C55B62BFB4EF47610F0A41DBE884CB5A3D228A919C772

Uniqueness

Uniqueness Score: -1.00%

Function 0074A078, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 0074A10E

Memory Dump Source

Source File: 00000000.00000002.465760966.000000000074A000.00000040.00000001.sdmp, Offset: 0074A000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 59537e0f0a14c73c5e5bc09841b8cb2df6fb0f933174d0fc1e67b2764f1d3cb0
Instruction ID: 068f774e2b8975a0c85b183ccbf6ea766274b945e7d7d72c1e288e1c9b4bd133
Opcode Fuzzy Hash: 59537e0f0a14c73c5e5bc09841b8cb2df6fb0f933174d0fc1e67b2764f1d3cb0
Instruction Fuzzy Hash: 0021D67140D3C06FD3128B618C55B66BFB4EF87620F1981DBE984CF293D224A919CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0074AA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0074AAB1

Memory Dump Source

Source File: 00000000.00000002.465760966.000000000074A000.00000040.00000001.sdmp, Offset: 0074A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8bf7a1d752125289bdb9eae6114c08b4d8c176ce0d5a0241951047c742f56625
Instruction ID: fb0c74568d94ef561e65662c05fdda5f6654c0d7a8dae49de08acbcca238c503
Opcode Fuzzy Hash: 8bf7a1d752125289bdb9eae6114c08b4d8c176ce0d5a0241951047c742f56625
Instruction Fuzzy Hash: 0F219D72540604AFE7219B65CD84F6BFBECEF14720F14C95BEE459A241D764E808CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0074AB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,524E7011,00000000,00000000,00000000,00000000), ref: 0074ABB4

Memory Dump Source

Source File: 00000000.00000002.465760966.000000000074A000.00000040.00000001.sdmp, Offset: 0074A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: d3a077ca445ed31d38117e0b08a1e789efc251e7f4f47dcd3793f45bb12d94d3
Instruction ID: 9832b87e8c663b9cc9b5adddb77adcf15943949dd0dec9d08f5d9ef8d57c5dcc
Opcode Fuzzy Hash: d3a077ca445ed31d38117e0b08a1e789efc251e7f4f47dcd3793f45bb12d94d3
Instruction Fuzzy Hash: 72218EB5540604AFEB21CF25CC84FA7FBECEF15710F14856AED459B251D764E808CA72

Uniqueness

Uniqueness Score: -1.00%

Function 0074A51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0074A58A

Memory Dump Source

Source File: 00000000.00000002.465760966.000000000074A000.00000040.00000001.sdmp, Offset: 0074A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: dc452af9bc119469f072f6273bb0c4e18ed5a82310d119bfb69978f92dd867f6
Instruction ID: f4be43623798e8e27dbdbb012f825a2fce0f4f065ffd924c1659e448438094aa
Opcode Fuzzy Hash: dc452af9bc119469f072f6273bb0c4e18ed5a82310d119bfb69978f92dd867f6
Instruction Fuzzy Hash: 95118771405380AFDB228F55DC44A62FFF4EF4A310F0885DAED858B152C375A918DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0074B7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 0074B841

Memory Dump Source

Source File: 00000000.00000002.465760966.000000000074A000.00000040.00000001.sdmp, Offset: 0074A000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 15fb490e0f763bf4af069865cb7e74e4b13da29dde738c5eaf26db3af88b80f9
Instruction ID: 61c96e4c057a0c4ce47d77e0f05dcc297abf3795efb7c01376eff6f42710f832
Opcode Fuzzy Hash: 15fb490e0f763bf4af069865cb7e74e4b13da29dde738c5eaf26db3af88b80f9
Instruction Fuzzy Hash: 462190714097C09FDB128B21DC54A92BFB4EF1B320F0D84DAEDC44F163D265A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0074BB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0074BBB9

Memory Dump Source

Source File: 00000000.00000002.465760966.000000000074A000.00000040.00000001.sdmp, Offset: 0074A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f3ae5885852da4fd217dc978f985f37a9761d501c420ec22b4104bc9716113c3
Instruction ID: 589692be134fd4a0a99f0b3026632a0f8381c7de6d0b72c541036c47b4e46edd
Opcode Fuzzy Hash: f3ae5885852da4fd217dc978f985f37a9761d501c420ec22b4104bc9716113c3
Instruction Fuzzy Hash: BD11D0754093C0AFDB228F25CC45B52FFB4EF16220F0885DEED858B563D365A858DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0074BE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0074BE70

Memory Dump Source

Source File: 00000000.00000002.465760966.000000000074A000.00000040.00000001.sdmp, Offset: 0074A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 48368209f13c550e620af04f7e1917216be35d8bb4f9646949e92945ff477d90
Instruction ID: 0e0cfafe5eeeab71ff27efaeeaee7f2e0c996c8efa1f93187ac6c2d441938205
Opcode Fuzzy Hash: 48368209f13c550e620af04f7e1917216be35d8bb4f9646949e92945ff477d90
Instruction Fuzzy Hash: 41118E754093C0AFDB138B25DC44B62BFB4DF47624F0984DAED858F263D269A848DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0074B71E, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 0074B78A

Memory Dump Source

Source File: 00000000.00000002.465760966.000000000074A000.00000040.00000001.sdmp, Offset: 0074A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 6daebcdeee56daf5d82134bb0951c6fb2f82a4f43ddd5b4ff27a85f6c3c74e55
Instruction ID: 2c8b8f9629513543ea107188868a84d239d4410d8e37c034ada9b21be0f0e072
Opcode Fuzzy Hash: 6daebcdeee56daf5d82134bb0951c6fb2f82a4f43ddd5b4ff27a85f6c3c74e55
Instruction Fuzzy Hash: 82117271408384AFDB228F55DC44A52FFF4EF49320F08859EEE858B562C375A858DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0074BEB4, Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 0074BF0C

Memory Dump Source

Source File: 00000000.00000002.465760966.000000000074A000.00000040.00000001.sdmp, Offset: 0074A000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: bff6cbe62df7e76f64aede1311d7511936a2a2c6011f0f1408b845975a53d1f1
Instruction ID: 39a113311398e8ea9b2f3f72cb262c765d6bde9a0ea55946df568ade75d6c9de
Opcode Fuzzy Hash: bff6cbe62df7e76f64aede1311d7511936a2a2c6011f0f1408b845975a53d1f1
Instruction Fuzzy Hash: 07119E72505380AFD711CF25DC85B56BFE8EF46220F0884AAED49CF252D378E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0074A75B, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0074A7BC

Memory Dump Source

Source File: 00000000.00000002.465760966.000000000074A000.00000040.00000001.sdmp, Offset: 0074A000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 45649489f97c34408099517dd1e8998e02a6423b0865590be69e5c6633b3ef40
Instruction ID: f398bca72556f5673b88d778f9757426979b1d40a39a400e717ccb271b33c9a8
Opcode Fuzzy Hash: 45649489f97c34408099517dd1e8998e02a6423b0865590be69e5c6633b3ef40
Instruction Fuzzy Hash: 61119171449384AFD712CF15DC84B52BFB4EF46221F08849AED459F253D375A948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0074A8CC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0074A926

Memory Dump Source

Source File: 00000000.00000002.465760966.000000000074A000.00000040.00000001.sdmp, Offset: 0074A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 6d5785bfe5c43141e7065cc168011c73d9a8e79122c07f5d53b08d45534f418e
Instruction ID: 52073414d5175f728564bd08bbf1eccbc95629d439839b5a1729908ea57e3610
Opcode Fuzzy Hash: 6d5785bfe5c43141e7065cc168011c73d9a8e79122c07f5d53b08d45534f418e
Instruction Fuzzy Hash: D2118E31409784AFDB228F15DC85A52FFF4EF16320F09C4DAEE854B262C375A858DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0074BED2, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 0074BF0C

Memory Dump Source

Source File: 00000000.00000002.465760966.000000000074A000.00000040.00000001.sdmp, Offset: 0074A000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: ebc265bfef82846f50ba256eb2e50cf355afcb72544715313e14dfcecabf9d9f
Instruction ID: bf0316afe0e032c71bfea857fc36f7478cd00d0ba40d3a023eca759fea4a29af
Opcode Fuzzy Hash: ebc265bfef82846f50ba256eb2e50cf355afcb72544715313e14dfcecabf9d9f
Instruction Fuzzy Hash: 58015E716002409FEB10DF29DC85766FB98DF44321F18C4AADD49CB656D779E848CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0074A0BE, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 0074A10E

Memory Dump Source

Source File: 00000000.00000002.465760966.000000000074A000.00000040.00000001.sdmp, Offset: 0074A000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 07255b40399ef6361935a5129640c9f7c8da86aa4f5505730ff411a81c611b51
Instruction ID: 1b85b0bf13e96c34f209b1f38c07efefe9aa156f4fc9ff7bb5e9287fbfe2199c
Opcode Fuzzy Hash: 07255b40399ef6361935a5129640c9f7c8da86aa4f5505730ff411a81c611b51
Instruction Fuzzy Hash: A5017171500600ABE710DF16DC85B26FBA8FB88A20F14856AED089B741E335B915CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0074A546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0074A58A

Memory Dump Source

Source File: 00000000.00000002.465760966.000000000074A000.00000040.00000001.sdmp, Offset: 0074A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ca11be54a85bab76ef8b27f7d22d55709b9889bf9c8862de521ca01643870cf8
Instruction ID: a20201c5908f21d6e6951a9271daff0da31d6c804f6b0973fb90e1fc74195f81
Opcode Fuzzy Hash: ca11be54a85bab76ef8b27f7d22d55709b9889bf9c8862de521ca01643870cf8
Instruction Fuzzy Hash: 7F016D31400600EFDB218F55D944B56FFE0EF48321F18C99AEE494A612C375A428DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0074B746, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 0074B78A

Memory Dump Source

Source File: 00000000.00000002.465760966.000000000074A000.00000040.00000001.sdmp, Offset: 0074A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 7e1a96523724b3af3e82861b34edf87c22024ce756d16d9d1a446c51a1dd69ad
Instruction ID: e3d6f625186d36d2eec0a871b2e0f7e9af15a322477867c1acf1c3757874a610
Opcode Fuzzy Hash: 7e1a96523724b3af3e82861b34edf87c22024ce756d16d9d1a446c51a1dd69ad
Instruction Fuzzy Hash: DB016D31400600EFDB218F55D884B66FFE0EF48320F18C9AAEE494A622D375E818DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0074AF9A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 0074AFEA

Memory Dump Source

Source File: 00000000.00000002.465760966.000000000074A000.00000040.00000001.sdmp, Offset: 0074A000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 458a204f1290475035a203b754fb0aac696439eff6205abeebe23fd8d99c5f01
Instruction ID: 0b2ab5ff823e578fb968700d8816355fa4001dc3bd5a7cd7f9895be7f49f8df0
Opcode Fuzzy Hash: 458a204f1290475035a203b754fb0aac696439eff6205abeebe23fd8d99c5f01
Instruction Fuzzy Hash: 2501AD72500600ABE610DF16DC86F26FBA8FB88B20F14815AED084B741E331F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0074BB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0074BBB9

Memory Dump Source

Source File: 00000000.00000002.465760966.000000000074A000.00000040.00000001.sdmp, Offset: 0074A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a526f8630891c46dcf343223df81069dafde48ea8be3fd30c587189970466418
Instruction ID: 447336a9dfdb9bd7aee9e51a4b28872e420c14442b535a19d882fe374a1fc03d
Opcode Fuzzy Hash: a526f8630891c46dcf343223df81069dafde48ea8be3fd30c587189970466418
Instruction Fuzzy Hash: 83019E755046009FEB208F55D884B66FFA0EF14320F18849ADD464A626C375E858DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0074A78A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0074A7BC

Memory Dump Source

Source File: 00000000.00000002.465760966.000000000074A000.00000040.00000001.sdmp, Offset: 0074A000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 3525bef1e1968240be3519094e3c7db84e66340497bde285a9748654fbeb4357
Instruction ID: 8d8f45234c7281e440e12d163e80a118e76b6b621c1b91bc26c18d381c7ee0f6
Opcode Fuzzy Hash: 3525bef1e1968240be3519094e3c7db84e66340497bde285a9748654fbeb4357
Instruction Fuzzy Hash: 2101A274800240AFDB21CF15D884766FFE4EF44321F18C4AADD098F202D379A844DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0074B806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 0074B841

Memory Dump Source

Source File: 00000000.00000002.465760966.000000000074A000.00000040.00000001.sdmp, Offset: 0074A000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bc1f267e57454012afe16cd67fc04a4e3254a7486f254dba3310e3cec73e82e7
Instruction ID: 8932f1d7e59a25728face39bdfab763f3ec07e75a04ecd06798b1e50f8358133
Opcode Fuzzy Hash: bc1f267e57454012afe16cd67fc04a4e3254a7486f254dba3310e3cec73e82e7
Instruction Fuzzy Hash: 8101A231400644DFDB208F15D884B66FFA8EF08320F18C49ADE490B222D375E858DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0074A8EE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0074A926

Memory Dump Source

Source File: 00000000.00000002.465760966.000000000074A000.00000040.00000001.sdmp, Offset: 0074A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 7fff9bdd1cf372012ea5bd4ca00f477bff3bdee01a1dfb4e32eac994938c220d
Instruction ID: be2b1df8195d8a48779be2f03ce45128318df7a276a9b119195d367e545e39ba
Opcode Fuzzy Hash: 7fff9bdd1cf372012ea5bd4ca00f477bff3bdee01a1dfb4e32eac994938c220d
Instruction Fuzzy Hash: 2701AD31800604EFDB208F05D885752FFA0EF09320F18C4AADE4A0B212C3B9A808DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0074A372, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0074A3A4

Memory Dump Source

Source File: 00000000.00000002.465760966.000000000074A000.00000040.00000001.sdmp, Offset: 0074A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 863ec9e72bf91e9e8622f48e7d171c8f1ad0cbcac6ae9cfd148ab77a74c65eb3
Instruction ID: 23198437bde38c8a2e8e39b3afe613f60def9820c168038da71f7b31fe0c5b51
Opcode Fuzzy Hash: 863ec9e72bf91e9e8622f48e7d171c8f1ad0cbcac6ae9cfd148ab77a74c65eb3
Instruction Fuzzy Hash: 86F0AF35440744EFDB208F15D884766FFA4EF05321F28C09ADD494B612E7B9A848DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0074BE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0074BE70

Memory Dump Source

Source File: 00000000.00000002.465760966.000000000074A000.00000040.00000001.sdmp, Offset: 0074A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 863ec9e72bf91e9e8622f48e7d171c8f1ad0cbcac6ae9cfd148ab77a74c65eb3
Instruction ID: 6796fdebf6ca486b407bcdb69babb6ae12b882b419e1c2b71429cd8c52c3c308
Opcode Fuzzy Hash: 863ec9e72bf91e9e8622f48e7d171c8f1ad0cbcac6ae9cfd148ab77a74c65eb3
Instruction Fuzzy Hash: F7F0AF35804644DFDB208F15D8847A2FFA0EF45321F18C4AADE494B212D3B9E848DEA2

Uniqueness

Uniqueness Score: -1.00%

Function 0075ADD8, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.465808438.0000000000752000.00000040.00000001.sdmp, Offset: 00752000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d9a6a57ee3c16e932b354cc410c574745e8b5eb625a48de72f8e2392af2928f
Instruction ID: 7dc3efcf42ccd21224c6574fa162e05f27e3829e5ed6dde270d9da27d9cc310f
Opcode Fuzzy Hash: 5d9a6a57ee3c16e932b354cc410c574745e8b5eb625a48de72f8e2392af2928f
Instruction Fuzzy Hash: 0311DAB5608301AFD350CF19DC80A57FBE8EB88660F14891EFD9997311D271E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0075AE27, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.465808438.0000000000752000.00000040.00000001.sdmp, Offset: 00752000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41880c68369b3c4e678ee0d23d6427157aae352f2eec4c7880501175ec047768
Instruction ID: 0e1339517b926b3b1213f500201998cb5dc456bf9dadaf693f0c75aec3a44662
Opcode Fuzzy Hash: 41880c68369b3c4e678ee0d23d6427157aae352f2eec4c7880501175ec047768
Instruction Fuzzy Hash: D3E0D87250020467E2108F079C85B63FB58EB44A30F14C557EE0D1B302D271B5049AF6

Uniqueness

Uniqueness Score: -1.00%

Function 007423F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.465719225.0000000000742000.00000040.00000001.sdmp, Offset: 00742000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7b08210dcde9ee70e409ff7d7acc54c5ee63e4f0c0cf0211b95130fac448a6
Instruction ID: 2726ac126bdb788a17b388e633f91bda5929a9a335a826d382e80b842cf3ae11
Opcode Fuzzy Hash: 1e7b08210dcde9ee70e409ff7d7acc54c5ee63e4f0c0cf0211b95130fac448a6
Instruction Fuzzy Hash: A3D05E79315AC18FD3268A1CC1A8BA53B94EB51B04F9644FDF8008B6A3C768DD92D200

Uniqueness

Uniqueness Score: -1.00%

Function 007423BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.465719225.0000000000742000.00000040.00000001.sdmp, Offset: 00742000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3092162f5ce7a9920a3d75b24c86ad3e95d7c769d7052086412668ce75ebdcdb
Instruction ID: 731780776aeddb9d6ef4aa8b0730b44f9c228867c68ab5cc88710d4319d41e07
Opcode Fuzzy Hash: 3092162f5ce7a9920a3d75b24c86ad3e95d7c769d7052086412668ce75ebdcdb
Instruction Fuzzy Hash: 13D05E342002818BC715DF0CC594F5937E4AB41B00F0644E8BC008B662C3ACDC92C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0006524A, Relevance: .6, Instructions: 585COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.464501359.0000000000062000.00000002.00020000.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.464461818.0000000000060000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.464781898.0000000000082000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8098e29a36d30d9914beb125c3c34926cfb2a16b1f5591641f6e75a409070f65
Instruction ID: 55fa7a6674d7d499a0b5e3256f6558ca69d96a92c2a3eddfe435638ec4d9b27e
Opcode Fuzzy Hash: 8098e29a36d30d9914beb125c3c34926cfb2a16b1f5591641f6e75a409070f65
Instruction Fuzzy Hash: 4A32646144F7C14FD7635B788CB86A17FB1AE6321474E49CBC0C1CF4A3EA19591AC722

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ws8W4yPAvg.exe PID: 3012 Parent PID: 528 ws8W4yPAvg.exeCOMMON

Executed Functions

Function 00AE3850, Relevance: 2.0, Strings: 1, Instructions: 758COMMON

Download Yara Rule

Strings

>_?r, xrefs: 00AE3F9D

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID: >_?r
API String ID: 0-2961507119
Opcode ID: ade28acabd728bda2a277d9dfebe70ed71dea2bf4e65f7e80985fb6e8062b041
Instruction ID: 713c80db2981b05213caaa9edba2c87f6cf1a1c236621f8e886b4ffbc6d7dc4b
Opcode Fuzzy Hash: ade28acabd728bda2a277d9dfebe70ed71dea2bf4e65f7e80985fb6e8062b041
Instruction Fuzzy Hash: 1752D572A00295DFCF15CF6AC898969BBF2FF84300B29C5AAD5059F252D771EE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AE23A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbecd13b4f3db7e5a393581d192f5e33123e9db13417e00fd819a0bf24488f29
Instruction ID: d43e49150720724700c4fa053f86165270d93e3eee0fc757d0aed189c1179e94
Opcode Fuzzy Hash: cbecd13b4f3db7e5a393581d192f5e33123e9db13417e00fd819a0bf24488f29
Instruction Fuzzy Hash: 0D12AD30A042A6CFD724DF2AC99476EBBF6FB84304F248169D4069B395EB749D85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00AE2FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f867470246c9b3fce5fec951102829ae44b6345c8128a6ee4cf78beadeb3627
Instruction ID: 683b42b9526f4e4324409327493fbc0988793f23189c73b3e42c182f31bac18a
Opcode Fuzzy Hash: 7f867470246c9b3fce5fec951102829ae44b6345c8128a6ee4cf78beadeb3627
Instruction Fuzzy Hash: 8881C232F011559BDB04DB6EC854AAEBBF3AFC4710F2A8475E406DB355DE319D018B90

Uniqueness

Uniqueness Score: -1.00%

Function 0062AA24, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 160registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE ref: 0062AAB1

Strings

_, xrefs: 0062ABA8

Memory Dump Source

Source File: 00000005.00000002.223334124.000000000062A000.00000040.00000001.sdmp, Offset: 0062A000, based on PE: false

Similarity

API ID: Open
String ID: _
API String ID: 71445658-701932520
Opcode ID: 7e61bf64b18b5fbdfef3767475e405f325a1a5a2b1dc7e43306eebb5cb81b594
Instruction ID: 0233be403fa5716f06be3e299c08bfe3e82e02b9841cdff7ee3fe0a39738d442
Opcode Fuzzy Hash: 7e61bf64b18b5fbdfef3767475e405f325a1a5a2b1dc7e43306eebb5cb81b594
Instruction Fuzzy Hash: 5551BF72500A14AFEB20CF65DC44FA7FBEDEF04710F14855AEA459B241D6A0E809CFB2

Uniqueness

Uniqueness Score: -1.00%

Function 00AE09A5, Relevance: 5.2, Strings: 4, Instructions: 175COMMON

Download Yara Rule

Strings

X1ar, xrefs: 00AE0A98
X1ar, xrefs: 00AE0A50
X1ar, xrefs: 00AE0A5A
X1ar, xrefs: 00AE0AA2

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID: X1ar$X1ar$X1ar$X1ar
API String ID: 0-346077691
Opcode ID: 1533ade6a731820b4f2ecc26dc33acdba78d9fad9ee4c362b46146309c617c30
Instruction ID: 0e98fb87bf6aa16990ac2518fef41579b46c560107bff8cbf673ef4dfca587c5
Opcode Fuzzy Hash: 1533ade6a731820b4f2ecc26dc33acdba78d9fad9ee4c362b46146309c617c30
Instruction Fuzzy Hash: 4151D631B04295EFCB149BA5D854E6EBBB2FF84304F208569E506DB250DB709D41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00AE02E8, Relevance: 4.0, Strings: 3, Instructions: 222COMMON

Download Yara Rule

Strings

hec, xrefs: 00AE032A, 00AE033E, 00AE0378, 00AE03BF, 00AE04CA
`5ar, xrefs: 00AE03A5
:@:r, xrefs: 00AE0537

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID: :@:r$`5ar$hec
API String ID: 0-721069830
Opcode ID: 942ca28857df05469c9e926152e73244c6bab5ee7f77e9bef3ec8c757ee6ce2b
Instruction ID: 51feb6f30e45d88c87e17bcb0aeb3eac862a2333677699936018d58c39aaec33
Opcode Fuzzy Hash: 942ca28857df05469c9e926152e73244c6bab5ee7f77e9bef3ec8c757ee6ce2b
Instruction Fuzzy Hash: 2471A130B042459FDB08DF69D460A6EBBF3AFC9710F24806AD506AF391DFB19C419BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0062AAF9, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,?,?,?,?), ref: 0062ABB4

Strings

_, xrefs: 0062ABA8

Memory Dump Source

Source File: 00000005.00000002.223334124.000000000062A000.00000040.00000001.sdmp, Offset: 0062A000, based on PE: false

Similarity

API ID: QueryValue
String ID: _
API String ID: 3660427363-701932520
Opcode ID: fb0ed694c4a140a0bad8119d8b606926e9817f66225de8d1315c24f81e4fa612
Instruction ID: 05f3424d8b6f0b812986ff196cc4fd33762fea136dea1acce0ff84dbb7760467
Opcode Fuzzy Hash: fb0ed694c4a140a0bad8119d8b606926e9817f66225de8d1315c24f81e4fa612
Instruction Fuzzy Hash: 8C319372109784AFE722CF65DC44F92BFB9EF06310F1884DAE9858B252D264E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04AB011C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE ref: 04AB019D

Strings

_, xrefs: 04AB0191

Memory Dump Source

Source File: 00000005.00000002.224434696.0000000004AB0000.00000040.00000001.sdmp, Offset: 04AB0000, based on PE: false

Similarity

API ID: CreateMutex
String ID: _
API String ID: 1964310414-701932520
Opcode ID: f16aa9dc7f7c0b1ea9d193f2915fdc50fb2d539347b3850651183367dfc7afe2
Instruction ID: a22ff3dcf8b60eb7ae5241824a65b37498a5b64abdeb3bb817fd7944a988cf8d
Opcode Fuzzy Hash: f16aa9dc7f7c0b1ea9d193f2915fdc50fb2d539347b3850651183367dfc7afe2
Instruction Fuzzy Hash: 8921BD71509240AFE725CF25EC44BABFFE8EF05320F04845AE9899B242D771A505CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AE2D58, Relevance: 2.6, Strings: 2, Instructions: 124COMMON

Download Yara Rule

Strings

, xrefs: 00AE2E76
>_?r, xrefs: 00AE2DA5

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID: $>_?r
API String ID: 0-334426466
Opcode ID: 582420b98ea72ef0f45fdb1259696fdfc49bd7eb7ac0edce4844519b0651c42a
Instruction ID: 338ab23068e1fc3824d1f55d5bff9326f672073d43fe8482a7df1ed01063c62e
Opcode Fuzzy Hash: 582420b98ea72ef0f45fdb1259696fdfc49bd7eb7ac0edce4844519b0651c42a
Instruction Fuzzy Hash: CE41B270E042A5CBDB14DF6AC8847BEBF77EBC4314B29C476C5169B605D635E802CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00AE21F8, Relevance: 2.6, Strings: 2, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 00AE230F
nc, xrefs: 00AE22F1

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID: nc$r*+
API String ID: 0-161945944
Opcode ID: a9eba38dcaa1e40bbc7a40516fd5d9f2293872d1589bb7978e75ba63330c3c6b
Instruction ID: e8e8b03b61d442526b1e65257457da343a3e7caac43192e9ac8009c673dfe59e
Opcode Fuzzy Hash: a9eba38dcaa1e40bbc7a40516fd5d9f2293872d1589bb7978e75ba63330c3c6b
Instruction Fuzzy Hash: F2411A70E08249DFCB48DFA6C5457EEBBB6FF44300F20806AD502AB260DB759A45DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00AE0006, Relevance: 2.6, Strings: 2, Instructions: 89COMMON

Download Yara Rule

Strings

ic, xrefs: 00AE0073
$lc, xrefs: 00AE00E2

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID: $lc$ic
API String ID: 0-3668238368
Opcode ID: 4c351a17d4b72ccba3a9228c36432f8b22213e66b68ce24a1096536f890e5b51
Instruction ID: f3ec7a0214af75f9bc0499ac8d6c18f16250a7278e5f7eddfd3254f375b63dcd
Opcode Fuzzy Hash: 4c351a17d4b72ccba3a9228c36432f8b22213e66b68ce24a1096536f890e5b51
Instruction Fuzzy Hash: 54314F7050D3C29FCB02AB74D8755193FB2AE43304B1985DFE482CB2A7E6684844DB63

Uniqueness

Uniqueness Score: -1.00%

Function 00AE12A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

$g^r, xrefs: 00AE1349

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID: $g^r
API String ID: 0-3653196314
Opcode ID: c3af091ee737961026b53fdee048e1b14aa130e56f9a45c5b20912443f0630d4
Instruction ID: ed4ef5d8b7bc8f63edb870321d5dd49d1e6df9f937381c71568ab3ecc0f123e1
Opcode Fuzzy Hash: c3af091ee737961026b53fdee048e1b14aa130e56f9a45c5b20912443f0630d4
Instruction Fuzzy Hash: 91220834A00A55CFC724DF29C494A6ABBF2FF88314F10859AD85A9B755EB34ED85CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0062A86F, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 0062A926

Memory Dump Source

Source File: 00000005.00000002.223334124.000000000062A000.00000040.00000001.sdmp, Offset: 0062A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 720ad2d9ec4e7defe31a00b582bbac799e51c80d70e194bcb5454652ae60f4a1
Instruction ID: 0b2aa7b9935e7617c00b1a51213561508ae58f1bbe596c1a9ac5072a6b990d8c
Opcode Fuzzy Hash: 720ad2d9ec4e7defe31a00b582bbac799e51c80d70e194bcb5454652ae60f4a1
Instruction Fuzzy Hash: CC21D576409780AFD7218F16DC45B52FFB8DF46620F08849AEE495F252D2B5A908CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0062B7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0062B841

Memory Dump Source

Source File: 00000005.00000002.223334124.000000000062A000.00000040.00000001.sdmp, Offset: 0062A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 199436311823e34e832e7f1bd8afe80fe13321cd1a144c8887b83454b9d2bd92
Instruction ID: 49c066c52d00f0595dc760dce15dbfbcb9ae5071a5f93e0772e3f1ec15933aed
Opcode Fuzzy Hash: 199436311823e34e832e7f1bd8afe80fe13321cd1a144c8887b83454b9d2bd92
Instruction Fuzzy Hash: 35218E714097C09FDB128B22DC54AA2BFB4EF17310F0D84DAEDC44F263D265A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0062A51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0062A58A

Memory Dump Source

Source File: 00000005.00000002.223334124.000000000062A000.00000040.00000001.sdmp, Offset: 0062A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bdeebbe8b52a225408597d49e698a413ab030387d2f6e2209dd154c9df1d035f
Instruction ID: f25ee347b97ea3e56c1e0745b7d70b554cce49e9bab6dfcc9e80cf1f4dac1c34
Opcode Fuzzy Hash: bdeebbe8b52a225408597d49e698a413ab030387d2f6e2209dd154c9df1d035f
Instruction Fuzzy Hash: 34118771409780AFDB228F55DC44B62FFF4EF4A310F0885DAED858B152D275A918DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0062BB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0062BBB9

Memory Dump Source

Source File: 00000005.00000002.223334124.000000000062A000.00000040.00000001.sdmp, Offset: 0062A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c79d7dd461f162620ace314831cea730bf2d12c9de00d612dc5a8385bb244a7a
Instruction ID: 98eea6e07fa11769b7bf744da8daff1aac2c75a0ad3c389cd167399006f660dd
Opcode Fuzzy Hash: c79d7dd461f162620ace314831cea730bf2d12c9de00d612dc5a8385bb244a7a
Instruction Fuzzy Hash: 1111BE35409780AFDB228F25DC45B52FFB4EF16320F0884DEED858B663D265A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0062BE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0062BE70

Memory Dump Source

Source File: 00000005.00000002.223334124.000000000062A000.00000040.00000001.sdmp, Offset: 0062A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: a902455d64c12deabcb33b181b40d49d7fcae3490e937ed4c2bc26a18e4008a1
Instruction ID: d1d489678899108d7024a12bbd40ab4cb86d72574c4837e87ec0f619ab9d1430
Opcode Fuzzy Hash: a902455d64c12deabcb33b181b40d49d7fcae3490e937ed4c2bc26a18e4008a1
Instruction Fuzzy Hash: A0118E754097C0AFD7138B25DC44B61BFB4DF47624F0980DAED848F263D2656808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0062B71E, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 0062B78A

Memory Dump Source

Source File: 00000005.00000002.223334124.000000000062A000.00000040.00000001.sdmp, Offset: 0062A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: b2f45856b98c7191a47b3fb0a6009780d98644921d016d50e57bddd0a297da0c
Instruction ID: b618e3c2618d4c61d3aef178417a70fcc01a3a2276d277e6212d1d497f437098
Opcode Fuzzy Hash: b2f45856b98c7191a47b3fb0a6009780d98644921d016d50e57bddd0a297da0c
Instruction Fuzzy Hash: 5211A231408780AFDB228F65DC44B52FFF4EF4A310F08859EEE898B562C375A818DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0062BEB4, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 0062BF0C

Memory Dump Source

Source File: 00000005.00000002.223334124.000000000062A000.00000040.00000001.sdmp, Offset: 0062A000, based on PE: false

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 1e5aafd7c4c0ac66600b2cc52768782e03591bc52b6ee801c1b6ff123b24c0fd
Instruction ID: bec353388d2c18b8d5a51bca899bd3e7d93dce5c5f1951f052815edfcaac323a
Opcode Fuzzy Hash: 1e5aafd7c4c0ac66600b2cc52768782e03591bc52b6ee801c1b6ff123b24c0fd
Instruction Fuzzy Hash: 2D118F715057809FD711CF26DC84B96BFE8EF46220F0884AAED49CF252D274A848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0062A75B, Relevance: 1.6, APIs: 1, Instructions: 52comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0062A7BC

Memory Dump Source

Source File: 00000005.00000002.223334124.000000000062A000.00000040.00000001.sdmp, Offset: 0062A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 0fb55f4e1cc6bff1dd72af4d3e5ec318e25c85c1d0551f7c419704d5dc3f432c
Instruction ID: 7de29f497e9a6d534ee573dee855de7941e7463e5b3f700f21373f9a3f00d979
Opcode Fuzzy Hash: 0fb55f4e1cc6bff1dd72af4d3e5ec318e25c85c1d0551f7c419704d5dc3f432c
Instruction Fuzzy Hash: 21118C75449384AFD712CF25DC44B92BFB4EF42220F0984EBED498F253D279A948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0062AF8B, Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32 ref: 0062AFEA

Memory Dump Source

Source File: 00000005.00000002.223334124.000000000062A000.00000040.00000001.sdmp, Offset: 0062A000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 90413e3c83804a279836918059f92b1c0a1f6591e6cae928c61be176e03e62da
Instruction ID: 8765ce1b9d276ec3cd36a13bc8da060a6dbead60e653ff788b47830d114ef2a5
Opcode Fuzzy Hash: 90413e3c83804a279836918059f92b1c0a1f6591e6cae928c61be176e03e62da
Instruction Fuzzy Hash: 1301DE72500600AFD610DF16DC86F26FBA8FB88B20F14815AED085BA40E331F915CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0062BED2, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 0062BF0C

Memory Dump Source

Source File: 00000005.00000002.223334124.000000000062A000.00000040.00000001.sdmp, Offset: 0062A000, based on PE: false

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 30fd1cbc740e1edaef184f35ebd832421964e5f28463818b57807ade9fbd0d33
Instruction ID: 2c30f636357e36e6fd1ac6a32f0d7ff193c6ca7578aac2be1383f78eefa0a0a8
Opcode Fuzzy Hash: 30fd1cbc740e1edaef184f35ebd832421964e5f28463818b57807ade9fbd0d33
Instruction Fuzzy Hash: C80180715006409FD710CF2AE9847A6FBA8DF00320F1894AADD49CB646D674E804CE61

Uniqueness

Uniqueness Score: -1.00%

Function 0062B746, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 0062B78A

Memory Dump Source

Source File: 00000005.00000002.223334124.000000000062A000.00000040.00000001.sdmp, Offset: 0062A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 5861927f965b00847fcc5433d31864b1fbbe394a6453a7bf70ca8709084aca67
Instruction ID: 197527bd3f7e3b19f9dc9332498f08dcc6a255158ef1fda3ae65e29dafdc2624
Opcode Fuzzy Hash: 5861927f965b00847fcc5433d31864b1fbbe394a6453a7bf70ca8709084aca67
Instruction Fuzzy Hash: AE016D31400A00EFDB218F65E844B66FFE5EF48320F18C5AAEE494A622D375E419DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0062A546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0062A58A

Memory Dump Source

Source File: 00000005.00000002.223334124.000000000062A000.00000040.00000001.sdmp, Offset: 0062A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 63b1fb3782511bfb37b5b1336d84abaa8aca41a7385efa16f2ed43c6297bf1a9
Instruction ID: ce84371f597a01b74a862877bffe464fe84905dccb526f68a9ed9f5fda599850
Opcode Fuzzy Hash: 63b1fb3782511bfb37b5b1336d84abaa8aca41a7385efa16f2ed43c6297bf1a9
Instruction Fuzzy Hash: FB018031400A00EFDB218F95E844B56FFE5EF48320F18C99AEE495B616D2B5E419DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0062BB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0062BBB9

Memory Dump Source

Source File: 00000005.00000002.223334124.000000000062A000.00000040.00000001.sdmp, Offset: 0062A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: dd26237fa92898412b402b69f3e2f19a83e5c29bf96421eef5ec3495b6924e77
Instruction ID: 608dfebf1c24cb1398f32693dec2d7aae78acae8278bcd46c1e9b49d8c5d92a9
Opcode Fuzzy Hash: dd26237fa92898412b402b69f3e2f19a83e5c29bf96421eef5ec3495b6924e77
Instruction Fuzzy Hash: 0601D435504A00DFDB208F16D884B66FFA4EF14321F18C09EDE494B665D771E418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0062A78A, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0062A7BC

Memory Dump Source

Source File: 00000005.00000002.223334124.000000000062A000.00000040.00000001.sdmp, Offset: 0062A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: cf5e5c36b04c2cfc872c24fd24b2c8469bf608f60738877eaa4db4b07e4503e9
Instruction ID: 301ceaa260cc64ed07a259dd9255403a0042a868c0140638a56c50ecc549338c
Opcode Fuzzy Hash: cf5e5c36b04c2cfc872c24fd24b2c8469bf608f60738877eaa4db4b07e4503e9
Instruction Fuzzy Hash: 3301A2744046409FDB10CF55E884766FFE4EF44320F18C4AADD088F202D2B5A804CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 0062B806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0062B841

Memory Dump Source

Source File: 00000005.00000002.223334124.000000000062A000.00000040.00000001.sdmp, Offset: 0062A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3f1d23ecb43909056bf949ca24e77b302474c977256232341ff8109ee6af4d05
Instruction ID: b77df9a4b5a55c8a41cfe38fbe05c795ed01fd8a145e9be4bc465eabe9c34003
Opcode Fuzzy Hash: 3f1d23ecb43909056bf949ca24e77b302474c977256232341ff8109ee6af4d05
Instruction Fuzzy Hash: 8B01A231400A44DFDB208F16D884B66FFA4EF14320F18D09ADE490B222D375A418DFB2

Uniqueness

Uniqueness Score: -1.00%

Function 0062A8EE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 0062A926

Memory Dump Source

Source File: 00000005.00000002.223334124.000000000062A000.00000040.00000001.sdmp, Offset: 0062A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 45bb12725da158ce74bd31932c5906f32571f52b07de385760ea4c0f3aa0609d
Instruction ID: 1cdca10e9c7939a58a9dd2a44e500c87ebae43b7feebe741eedd16635fbfbb6c
Opcode Fuzzy Hash: 45bb12725da158ce74bd31932c5906f32571f52b07de385760ea4c0f3aa0609d
Instruction Fuzzy Hash: 8601D635800A04DFDB208F56E885752FFA4EF05320F18C09ADE490B712C2B5A849DF73

Uniqueness

Uniqueness Score: -1.00%

Function 0062BE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0062BE70

Memory Dump Source

Source File: 00000005.00000002.223334124.000000000062A000.00000040.00000001.sdmp, Offset: 0062A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 70bd071d03ec269860b7c79f189cb6374adc290eca8571e41cf6f5d4f09c4c61
Instruction ID: 55202cbe4d976275482ddd3d42699b570e3d5b21597e2204b9856f918e4f005f
Opcode Fuzzy Hash: 70bd071d03ec269860b7c79f189cb6374adc290eca8571e41cf6f5d4f09c4c61
Instruction Fuzzy Hash: 80F0A435804A44DFD7108F15E8847A1FFA4DF04320F18D09ADE494F312D3B5A448DEA2

Uniqueness

Uniqueness Score: -1.00%

Function 00AE068B, Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

}c, xrefs: 00AE074F

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID: }c
API String ID: 0-2301012139
Opcode ID: 708182fdf760fdcda168636d1625c581ab65aeafb9d6e983a8816d5b87764b8e
Instruction ID: f6265a390bdf81456e3419b0d58424199c09ab53482381dab372bc617c45dcb1
Opcode Fuzzy Hash: 708182fdf760fdcda168636d1625c581ab65aeafb9d6e983a8816d5b87764b8e
Instruction Fuzzy Hash: 5E419CB16046558BD7247F39EC1CA6E3BA3BF80712B14656AF402CB2B1DFB04D819BD5

Uniqueness

Uniqueness Score: -1.00%

Function 00AE1458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

$g^r, xrefs: 00AE14C7

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID: $g^r
API String ID: 0-3653196314
Opcode ID: b3443d59988d9ea20971516caf4e110e79a56d500af62a3535f995f98f01f39c
Instruction ID: e1c6dec9673eab9e3bad4ccef0badeb0e5368d4bbb7a43cedb0cc19158e19beb
Opcode Fuzzy Hash: b3443d59988d9ea20971516caf4e110e79a56d500af62a3535f995f98f01f39c
Instruction Fuzzy Hash: EA511634A00659CFDB54EF64C8A8B9DBBB2BF88300F5040EAD40AAB365DB359D85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00AE02DC, Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

hec, xrefs: 00AE032A, 00AE033E, 00AE0378, 00AE04CA

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID: hec
API String ID: 0-1974791306
Opcode ID: b48ebe1a1395e736c99b79a3bd29568db9399ea4aba6af4ac1a30e150ae5d78e
Instruction ID: da13c71ec3e5e82430427beabf5ce697295187dc8dd53a00182fe99c0e88df9f
Opcode Fuzzy Hash: b48ebe1a1395e736c99b79a3bd29568db9399ea4aba6af4ac1a30e150ae5d78e
Instruction Fuzzy Hash: 87417E30A00246DFDB18DF69D154FAEBBB2EF89710F248469D502AF391DBB19C81DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00AE1298, Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

$g^r, xrefs: 00AE1349

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID: $g^r
API String ID: 0-3653196314
Opcode ID: d0ebf983e4833574534c4a68d68949f5f748ace3bd94fc3ce289698497deecc4
Instruction ID: 43a9878edf4bdc5785e4016db1c89fc8ca49db3ed0bf5a097d1c99f861c88eaf
Opcode Fuzzy Hash: d0ebf983e4833574534c4a68d68949f5f748ace3bd94fc3ce289698497deecc4
Instruction Fuzzy Hash: 81412734A04269DFCB64DF69D854B9DBBB2BF49340F1040EAD40AAB355DB309D84DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00AE02AB, Relevance: 1.3, Strings: 1, Instructions: 14COMMON

Download Yara Rule

Strings

Lmc, xrefs: 00AE02B6

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID: Lmc
API String ID: 0-2183760062
Opcode ID: bad0d34764b6eab705d6fbbeb9eee5a550292ca370f59dab86668f7f47b9a2ff
Instruction ID: 4e28bd24086aef6548176113012f210adf7f8985a55a8c7e8cc87b2fe9798ebe
Opcode Fuzzy Hash: bad0d34764b6eab705d6fbbeb9eee5a550292ca370f59dab86668f7f47b9a2ff
Instruction Fuzzy Hash: 21D0A730204640D7C3509B08F4948D177F5FF89700352C96AF54783A14CBB06C018790

Uniqueness

Uniqueness Score: -1.00%

Function 00AE0BC0, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c17692e559a30a1dedb8fc9713d68b5c37514ae747e9ff36bd64dddf9beb071b
Instruction ID: f36b6b77159e9e4179c587c27f804de0fa11978a744c84b188fe26db116eadcb
Opcode Fuzzy Hash: c17692e559a30a1dedb8fc9713d68b5c37514ae747e9ff36bd64dddf9beb071b
Instruction Fuzzy Hash: AD41E331B041448FC7159F2DC454AAE7BB6EFC5310F25816AE906EF2A1CEB29C469792

Uniqueness

Uniqueness Score: -1.00%

Function 00AE20D0, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a1c9d95680bce3fd1bbf57d431fe2f37c2db30ce120b99b95a12a4ada97c76
Instruction ID: 80227fc5660bc4eb22e8dd0b055aa09e0a926803526db5faa9c1a481c39c09d0
Opcode Fuzzy Hash: 01a1c9d95680bce3fd1bbf57d431fe2f37c2db30ce120b99b95a12a4ada97c76
Instruction Fuzzy Hash: 0D31B730B0828ADFDB05DF69D89077EBBB9FF84300B2181A6C506DB255DB30AD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AE2C58, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8efd5095c766c23d656f79595926c78f0925a1e6c9d1ba51138d6938378e4acb
Instruction ID: 466ac0ea8dcbc63af8aa6375c200fe30618d6d582794ad114a26a3f1c8a8852c
Opcode Fuzzy Hash: 8efd5095c766c23d656f79595926c78f0925a1e6c9d1ba51138d6938378e4acb
Instruction Fuzzy Hash: D721F5716082C1DFC7199726D894B3DBBBDFFC5310B34426AD556CB292CB609C00D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00AE21E8, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1fe925dd1e9d8a9f22beadbc4720b349ca90e1955de39bb15ce41accc5625c4
Instruction ID: 3b0607c74ec88e2295e5c9f8e9647b62d696e92ddfaadd5f6983b518764facdd
Opcode Fuzzy Hash: d1fe925dd1e9d8a9f22beadbc4720b349ca90e1955de39bb15ce41accc5625c4
Instruction Fuzzy Hash: F2315E70D08289DFCB44DFAAC5417FDBBB9FF45300F2040AAD6029B2A1DA749E44DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00AE25DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a4eb5f8f11a3273073e094ae3257ac83f070b66423da4f095b51d6beb6d82b
Instruction ID: 9ecc622b8ae4cf2bbbd5a41f4d346ec8cdf777fbff0d44012fb26e8135cb7ee9
Opcode Fuzzy Hash: d9a4eb5f8f11a3273073e094ae3257ac83f070b66423da4f095b51d6beb6d82b
Instruction Fuzzy Hash: FB317830A00286CBDB60DF66D85475ABBB6FF84314F20D269C0059F265DBB49A89CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00AE4190, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2fd98a0a4bc9d63eaf3efb5c43ba934674440f180a1367d6fe5f1aa09847b0
Instruction ID: 8f674b57072359da109f39f8939a020f0a403bfa6db73258b7b28e4fc4b6d23f
Opcode Fuzzy Hash: ab2fd98a0a4bc9d63eaf3efb5c43ba934674440f180a1367d6fe5f1aa09847b0
Instruction Fuzzy Hash: 8611D671B002569BDB14ABB6D8145FF7ABFAFC8340F61413AE60797284EE71884097A2

Uniqueness

Uniqueness Score: -1.00%

Function 00AE11DF, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc2a9ac77772cf9a4cb97b7f2a6013a3266e04fa8607d8ba7223d67efd68c2e9
Instruction ID: 1c811bb95c8452191e171cb7dcbe160f3745951e02471aa4ffa6472c8eb0646e
Opcode Fuzzy Hash: fc2a9ac77772cf9a4cb97b7f2a6013a3266e04fa8607d8ba7223d67efd68c2e9
Instruction Fuzzy Hash: AD11C4303092E0CFC705972AD8649A97FF6AF86700B6541FBD646CF366CB758C098792

Uniqueness

Uniqueness Score: -1.00%

Function 007E0846, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223408684.00000000007E0000.00000040.00000040.sdmp, Offset: 007E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7212d90ea2ee74ad2ecff5a5f255c6752c295308d1e623e20cbf565adc6ceb9f
Instruction ID: a2c3c3796bb92bbcd7eb62e7e4b8a7c3cde9dce098751b488f2946e7908150cc
Opcode Fuzzy Hash: 7212d90ea2ee74ad2ecff5a5f255c6752c295308d1e623e20cbf565adc6ceb9f
Instruction Fuzzy Hash: 58214F3550E3C59FD7078B21C850B51BFB1AB4B314F2986DAD8858B6A3C37A9846CB51

Uniqueness

Uniqueness Score: -1.00%

Function 007E087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223408684.00000000007E0000.00000040.00000040.sdmp, Offset: 007E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c682c6b3c5e89bf4bb4536c2f41f69bfb4ed2f4a52de761dff5521dd09a543e
Instruction ID: 6e2c0d90936b8170b4acdb9699eb1a389df515d48698b9729ca6635b6e36379b
Opcode Fuzzy Hash: 1c682c6b3c5e89bf4bb4536c2f41f69bfb4ed2f4a52de761dff5521dd09a543e
Instruction Fuzzy Hash: 7A11E434205384DFD305CB25C940B26BBD1AB8C708F24C99CE9894B643C7BFD853DA91

Uniqueness

Uniqueness Score: -1.00%

Function 00AE05C0, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ec2b33075473a9169d9332ddd7a582c3c36c80670b201b0c27cd84b286b874
Instruction ID: 0605c73da6d85b8bfcb7febceb2d285579f501346d350006e85643aade1405f1
Opcode Fuzzy Hash: 15ec2b33075473a9169d9332ddd7a582c3c36c80670b201b0c27cd84b286b874
Instruction Fuzzy Hash: 57F0223030016A17CB487A7EA4116BE668B6FC4A24758802EE10ADF3C5DFA08C0357EA

Uniqueness

Uniqueness Score: -1.00%

Function 00AE1209, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e561a84b779468ac2ef9e6afdcf160e3773a1ebc36def4558c84772c3f09eeee
Instruction ID: 7840223a6e1bb48092505fe76dcdf41cfd1f02605d4d84a5e0e69a6b169e5829
Opcode Fuzzy Hash: e561a84b779468ac2ef9e6afdcf160e3773a1ebc36def4558c84772c3f09eeee
Instruction Fuzzy Hash: 8C015A313085A0CFC704AB2DD8688A97BE6BF9670077541FAE606CB3A6CE718C099752

Uniqueness

Uniqueness Score: -1.00%

Function 007E05CD, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223408684.00000000007E0000.00000040.00000040.sdmp, Offset: 007E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b4242068e142742ad2e521feaa7f2c7aedb4cb4a6b5578c223c5643640ca2bf
Instruction ID: 2ad46e05d6f62f4e80d40703759aa20c3eda6acfd8a8af29adfba9ca6bbf8f0b
Opcode Fuzzy Hash: 4b4242068e142742ad2e521feaa7f2c7aedb4cb4a6b5578c223c5643640ca2bf
Instruction Fuzzy Hash: 2E01DB7250D7805FD7028F169C40862FFB8EA86220708C09FED498B612D225B908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00AE1218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03dd6275ce75f4837ba6fdecc36f33aa8020328c3b4a808a61affb37e58ec8f7
Instruction ID: 5a84d82e9f23f5efcb3383a0c64d1cc3b69b48c998f41ab2e38fe902a1ca88a5
Opcode Fuzzy Hash: 03dd6275ce75f4837ba6fdecc36f33aa8020328c3b4a808a61affb37e58ec8f7
Instruction Fuzzy Hash: 2A013130304460CBC644AB2DD4589AE7BFABFC9714B7441BAE606CB775CFB19C099B82

Uniqueness

Uniqueness Score: -1.00%

Function 00AE0D25, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3fa457ad87176b7efe160c71ddd943963db719c72ec4170c7e519b7a7525f3e
Instruction ID: 13a277711d8292e875182a47a71cbbe00a46831df2bb51c7b993912b18a6876b
Opcode Fuzzy Hash: f3fa457ad87176b7efe160c71ddd943963db719c72ec4170c7e519b7a7525f3e
Instruction Fuzzy Hash: FD014B353042408FC7409B28D898A597BE2EF89715B2180BAE44ACB776DB71DC49DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00AE4180, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f517a0be8b44b89dcf49e8f2cccf38d7f707fc9c3bf310a4093d010013503689
Instruction ID: 5bcdca67121cbc8aa814aab21d2994d236908ebffe880c74ed9d282eb664f379
Opcode Fuzzy Hash: f517a0be8b44b89dcf49e8f2cccf38d7f707fc9c3bf310a4093d010013503689
Instruction Fuzzy Hash: 65F02731A083C49AEF2057766C454EE7FBC9ADA340710027AD90A82001E57500449A91

Uniqueness

Uniqueness Score: -1.00%

Function 00AE0918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd7d50261be6a92d93694c388a7ce7a09198e96f9dd6ef34771b22dd5c87f5f9
Instruction ID: ee4357d8e139bf901ac47646b1f86f991711e4275a5606a44caa1ad772f32ffa
Opcode Fuzzy Hash: fd7d50261be6a92d93694c388a7ce7a09198e96f9dd6ef34771b22dd5c87f5f9
Instruction Fuzzy Hash: 6BE0E532E15298DA9B205EFA98409AFBBB9D7C5390F1045379A07A3242D9F0598162D1

Uniqueness

Uniqueness Score: -1.00%

Function 007E0938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223408684.00000000007E0000.00000040.00000040.sdmp, Offset: 007E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: 75ae8f78d6c13cbbf03945462f3cb47a6a3f4ec7dd0390eafd0948fb1a79aff1
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: 9CF0FB35104684DFC205DF00D540B15FBA2EB89718F24C6A9E9890B652C37BA812DA81

Uniqueness

Uniqueness Score: -1.00%

Function 00AE0D49, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbf2304d1fb67321c30909253e4e4df21ab107c7b62ce197c3015899f115bd6f
Instruction ID: 380123f4fe8e11ac9550cdb598ea5cce36358f821897f44b35a38d1137edb469
Opcode Fuzzy Hash: bbf2304d1fb67321c30909253e4e4df21ab107c7b62ce197c3015899f115bd6f
Instruction Fuzzy Hash: D8F03031310205CFCB449B69E888B987BE1FB88312B20856AE546CB2B5DE759C459B55

Uniqueness

Uniqueness Score: -1.00%

Function 007E05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223408684.00000000007E0000.00000040.00000040.sdmp, Offset: 007E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa9deed039259586531a0805fb356ac46b95846bd55fbebc178a3c7739c364c
Instruction ID: 77cfaaacb4c275a67fe94c9849c1951151223e3251317b0a54fca0135f981c19
Opcode Fuzzy Hash: 4aa9deed039259586531a0805fb356ac46b95846bd55fbebc178a3c7739c364c
Instruction Fuzzy Hash: F5E09276604A008BD650CF0BEC41462F7E8EB88630B18C07FDC0D8B700E535B504CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 00AE2D20, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c9065dd62648a8c246ca5dd3373348fe85ce4fcd813c021cf0a75becd2ca666
Instruction ID: 8b46eabf6394e5d6efa394cedc847de2bf152e1690f4b83b18720131b5c977b9
Opcode Fuzzy Hash: 2c9065dd62648a8c246ca5dd3373348fe85ce4fcd813c021cf0a75becd2ca666
Instruction Fuzzy Hash: 7AD0A77904D7C8EEE7631366ACD57743B7C9B2A305F350083E7458D0F351548900A326

Uniqueness

Uniqueness Score: -1.00%

Function 00AE016F, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ab63081352e2cc3a7365f4d57d82f8cabeff6dbc0e8c5b4fa6ac1675415665
Instruction ID: b17cd908abae570f10016cc562a9b50a742010aa6c651603a10a579b3943f415
Opcode Fuzzy Hash: b7ab63081352e2cc3a7365f4d57d82f8cabeff6dbc0e8c5b4fa6ac1675415665
Instruction Fuzzy Hash: A1E02B32200340DFCB053734E82902C3375AF4322571006FAD4218F6E1FA3AD841C780

Uniqueness

Uniqueness Score: -1.00%

Function 00AE0650, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa198016bd575e8ecfcc0dcb5187b965a1bcde138f34b5c19d2cbec32e62d14b
Instruction ID: 9244bf03df2e098b23b1914faa259129d98e4b606f4c69f743bbc5a96969d78c
Opcode Fuzzy Hash: aa198016bd575e8ecfcc0dcb5187b965a1bcde138f34b5c19d2cbec32e62d14b
Instruction Fuzzy Hash: 85D05E7504E3C4CFC3125B3128285B57B759EA3308B2884A7D84089463D5A598A6E776

Uniqueness

Uniqueness Score: -1.00%

Function 006223F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223329548.0000000000622000.00000040.00000001.sdmp, Offset: 00622000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 565373897648dbc5cd78b3911efde8c671810d5e00595deb0f4b3b60ab3554d4
Instruction ID: f5e484f4939e48c616907dd047051dc603ff4a0d2495b8e9a00785c9e57fa5ff
Opcode Fuzzy Hash: 565373897648dbc5cd78b3911efde8c671810d5e00595deb0f4b3b60ab3554d4
Instruction Fuzzy Hash: 04D02E38200A929FC3229A0CD0B8B943BD1AB41B00F0640FEE8008B363C368D9C0DA00

Uniqueness

Uniqueness Score: -1.00%

Function 006223BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223329548.0000000000622000.00000040.00000001.sdmp, Offset: 00622000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408ca15fceca7f32376be9b3776d7ee784cc7b8ae25133e09e185cab994332ab
Instruction ID: 557940be3c3057fff5d7077879f7d052cfa5f0fc4a901426a7b6a79d6bd8616a
Opcode Fuzzy Hash: 408ca15fceca7f32376be9b3776d7ee784cc7b8ae25133e09e185cab994332ab
Instruction Fuzzy Hash: CBD05E342006828BC719DB0CD5A4F9937D5AF41B00F0644E8AC008B762C3A8DC81CA00

Uniqueness

Uniqueness Score: -1.00%

Function 00AE0180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e48f30728dbe14611d8c3b09ceb304611ca9800e61f832e288b8c020385f5f2
Instruction ID: 2759b86006a7ee5f446ac211e7e7c650ebb25ffa3e66abf34591261d4ff2857f
Opcode Fuzzy Hash: 3e48f30728dbe14611d8c3b09ceb304611ca9800e61f832e288b8c020385f5f2
Instruction Fuzzy Hash: 86D01271200305CFCB082B74E41D4183366AB45209310487CE8068B750EF37D840CA40

Uniqueness

Uniqueness Score: -1.00%

Function 00AE2EC0, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89cd5708b335b46633487d37fbcd9610134cf09e7d395bc61c1169e52b9cea39
Instruction ID: 411cde7782c105ca39b7ba718b21660a6bf88dc034f1a47dfadf06ae06b45624
Opcode Fuzzy Hash: 89cd5708b335b46633487d37fbcd9610134cf09e7d395bc61c1169e52b9cea39
Instruction Fuzzy Hash: 36B0123135824D0BEB5097F67C48B6637CC8780B19F4810B1F80CC5900F5C6E8E03690

Uniqueness

Uniqueness Score: -1.00%

Function 00AE0660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d1df242da83f9620073fecac54a1f291a8b4ebbb4735a8121c9ff346159f32
Instruction ID: b2bd6bd8c003aabf85e0fbcdce1d54cde889a6831c3f2b0a358d24fb6cda1ef5
Opcode Fuzzy Hash: d5d1df242da83f9620073fecac54a1f291a8b4ebbb4735a8121c9ff346159f32
Instruction Fuzzy Hash: 5BC02B710493C4CFC31417722C04E35722A5AC0308724C43184010002089F254F1EC65

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00AE0D93, Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

:@:r, xrefs: 00AE10CB
,:ar, xrefs: 00AE0E38
X1ar, xrefs: 00AE0F1C
0`r, xrefs: 00AE0F8E

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID: ,:ar$0`r$:@:r$X1ar
API String ID: 0-2614842347
Opcode ID: 7193e0c99597af284d55b6072bd1e8ce2650df165a3f5a7db2c98c1f52cc8848
Instruction ID: 284e0b2fadac5153538a293b7f69c7e1c8fa4484d3df858b1992bb3ec7295b5d
Opcode Fuzzy Hash: 7193e0c99597af284d55b6072bd1e8ce2650df165a3f5a7db2c98c1f52cc8848
Instruction Fuzzy Hash: BDB19670A09745CFD3A4DF78C160B6ABBE2BBD8704F10496DE54A8B399EF719845CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00AE01A8, Relevance: 5.1, Strings: 4, Instructions: 84COMMON

Download Yara Rule

Strings

hfc, xrefs: 00AE01DC
hfc, xrefs: 00AE0264
hfc, xrefs: 00AE020B
hfc, xrefs: 00AE023A

Memory Dump Source

Source File: 00000005.00000002.223512709.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: false

Similarity

API ID:
String ID: hfc$hfc$hfc$hfc
API String ID: 0-2661775334
Opcode ID: 3180d59cbc8b9fc930ef6b0bdcf71195bfaccd91ef7ad6ecea0925e55a39e73e
Instruction ID: 3d17c6821d72d14d7811f82e1a509b4430bf2c5147ec74b1704861021297124f
Opcode Fuzzy Hash: 3180d59cbc8b9fc930ef6b0bdcf71195bfaccd91ef7ad6ecea0925e55a39e73e
Instruction Fuzzy Hash: 0A215C707012549FEB108E69D880F667BEAEFCAB94F504469F6059B381EAA0AC418B65

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dhcpmon.exe PID: 3216 Parent PID: 528 dhcpmon.exeCOMMON

Executed Functions

Function 00DC3850, Relevance: 2.0, Strings: 1, Instructions: 737COMMON

Download Yara Rule

Strings

>_?r, xrefs: 00DC3F9D

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID: >_?r
API String ID: 0-2961507119
Opcode ID: 9ce3c8c299592c37f6b17da021d80769c4d558740375ea81b6cd31953e2fabd9
Instruction ID: c717d80f6a9251d22724a16c3deb9002e46a0e0c3d1f995d2bbb1ab987202d0f
Opcode Fuzzy Hash: 9ce3c8c299592c37f6b17da021d80769c4d558740375ea81b6cd31953e2fabd9
Instruction Fuzzy Hash: 1D42A371A04216CFCB14CF58C884EADBBF2FF84310B29C5AAD5599B256D771EE41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC23A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce59f638f95b14fa43d8419ab12e49e2e64d48bf6eeb3f86e0bf0fafc2f6930
Instruction ID: 8f0cebee1431968e0657416d40a20f9c5c4dace7fcda8037e2f598b222420e8f
Opcode Fuzzy Hash: 6ce59f638f95b14fa43d8419ab12e49e2e64d48bf6eeb3f86e0bf0fafc2f6930
Instruction Fuzzy Hash: DB128830A18216CFCB24DF68C980B7DBBF2BB84314F28852ED456EB295DB74D945DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DC2FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ed516c373ff263b0e423109e5e78b1f11386251678a73263961b05eb0b1fbab
Instruction ID: 790187e83d5c1b4e26fa4a42704cb40c733b6cf3f2f79fb74aa1a72195bf3ffb
Opcode Fuzzy Hash: 8ed516c373ff263b0e423109e5e78b1f11386251678a73263961b05eb0b1fbab
Instruction Fuzzy Hash: 97818D32F011169BDB14DB69C844B6EBBF3AFC8710B2AC479E4059B365DE31DD018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC09A9, Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

X1ar, xrefs: 00DC0A50
X1ar, xrefs: 00DC0A5A
X1ar, xrefs: 00DC0AA2
X1ar, xrefs: 00DC0A98

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID: X1ar$X1ar$X1ar$X1ar
API String ID: 0-346077691
Opcode ID: 4ac202dacf2d6c1209713337a1383d738e95467decd86a6d9261bb9517713f3b
Instruction ID: 5682069fdb13890345bee6a0dff0f73ce77744ca7e9f5f96d91030365b46e802
Opcode Fuzzy Hash: 4ac202dacf2d6c1209713337a1383d738e95467decd86a6d9261bb9517713f3b
Instruction Fuzzy Hash: F7416E35B10105DFCB04DFA8D898A6EBBF2FF84710F658169E5169B3A4CB31AC02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00DC09A0, Relevance: 5.1, Strings: 4, Instructions: 104COMMON

Download Yara Rule

Strings

X1ar, xrefs: 00DC0A50
X1ar, xrefs: 00DC0A5A
X1ar, xrefs: 00DC0AA2
X1ar, xrefs: 00DC0A98

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID: X1ar$X1ar$X1ar$X1ar
API String ID: 0-346077691
Opcode ID: bcdbeb85b3d8803c5c8f82999317b99efcc4ca21d4e17ba03a17086c46c82067
Instruction ID: 371a4504decda85157eb339a6f1be535774e157e594dfd1770211de1f466b856
Opcode Fuzzy Hash: bcdbeb85b3d8803c5c8f82999317b99efcc4ca21d4e17ba03a17086c46c82067
Instruction Fuzzy Hash: B431D431B04252DBCB14DBA8D895BAEBBB2FB84700F748419E5469B380CB30EC02C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC02E8, Relevance: 2.7, Strings: 2, Instructions: 170COMMON

Download Yara Rule

Strings

:@:r, xrefs: 00DC0537
`5ar, xrefs: 00DC03A5

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID: :@:r$`5ar
API String ID: 0-3512261011
Opcode ID: 90d303edbfd82a5a287f6e3553e583aae2f678b28605d8e911e7f80a57526561
Instruction ID: d144054fbd48ca08e22ef5bf97ced66cf18707206e8ba08b8be15c1243430a77
Opcode Fuzzy Hash: 90d303edbfd82a5a287f6e3553e583aae2f678b28605d8e911e7f80a57526561
Instruction Fuzzy Hash: 40517D30A04246CFDB58DF68C460B6E7FF2AF89710F28846DD546AB3A1DB71AC01DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DC2D58, Relevance: 2.6, Strings: 2, Instructions: 133COMMON

Download Yara Rule

Strings

>_?r, xrefs: 00DC2DA5
, xrefs: 00DC2E76

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID: $>_?r
API String ID: 0-334426466
Opcode ID: 4f5640e9e03c3d2d6c1d3e9c297391d459cb0c9c48e0a798a58ec741a7f01993
Instruction ID: 9b830acb1d45e588d53482c65215eba4ab4f3af31ce88ebd1d607df04c2b683e
Opcode Fuzzy Hash: 4f5640e9e03c3d2d6c1d3e9c297391d459cb0c9c48e0a798a58ec741a7f01993
Instruction Fuzzy Hash: 1641B970E08216CBCB10DF69C844BBE7BA6ABC0315B39C47EE456EB705D631D84287A1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC12A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

$g^r, xrefs: 00DC1349

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID: $g^r
API String ID: 0-3653196314
Opcode ID: a9ea922ae64410b10a641115f871c2c469a395e809ba0c14d5b02304942d621a
Instruction ID: c208bd5b1301b971bce473008abc2c5738b5b800f19f0f06222e496f04fd15d7
Opcode Fuzzy Hash: a9ea922ae64410b10a641115f871c2c469a395e809ba0c14d5b02304942d621a
Instruction Fuzzy Hash: F222D538A04615CFC724DF28C490E6ABBF2FF89310B148999D85A9B756DB34ED85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04C800F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04C8019D

Memory Dump Source

Source File: 00000007.00000002.229513666.0000000004C80000.00000040.00000001.sdmp, Offset: 04C80000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 5d903e8d5955eb97078380317e9a23d7166f1112ddd831a531fa982abe47bb4d
Instruction ID: c8a0269004a41aae4319ba9d346f3301897ad47abe767426d4a7c5af491b06a0
Opcode Fuzzy Hash: 5d903e8d5955eb97078380317e9a23d7166f1112ddd831a531fa982abe47bb4d
Instruction Fuzzy Hash: B731AF75509380AFE712CF25CC85F56FFE8EF06310F09849AE984CB292D364A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04C8012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04C8019D

Memory Dump Source

Source File: 00000007.00000002.229513666.0000000004C80000.00000040.00000001.sdmp, Offset: 04C80000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: ee8a19a3c40294da50830f9ed8d9cc1b21bd167e23b5a6b4e1d2a6c70dafb39f
Instruction ID: 54d1803dd617221a1d0c30b664a3513bdfa6d67ad061d0d77488199dd9b76d09
Opcode Fuzzy Hash: ee8a19a3c40294da50830f9ed8d9cc1b21bd167e23b5a6b4e1d2a6c70dafb39f
Instruction Fuzzy Hash: 42218E75604200AFE720DF26DC85B6AFBE8EF05724F18846EED458B241E771F508CA71

Uniqueness

Uniqueness Score: -1.00%

Function 00DC20D0, Relevance: 1.4, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

r*+, xrefs: 00DC230F

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: fc4ab19e64e27ced0c5f47d2a76c8d6920da9f1541fad3a5092b50aca35af657
Instruction ID: 3abf522bd9a0d579e71412cad7e5d196e993b417f35003f149ade7c56840fce3
Opcode Fuzzy Hash: fc4ab19e64e27ced0c5f47d2a76c8d6920da9f1541fad3a5092b50aca35af657
Instruction Fuzzy Hash: 6D714E30A0820ADFCB44DFA8C581BBEBBB1FF85300F24846ED5469B265DB749E41DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DC1458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

$g^r, xrefs: 00DC14C7

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID: $g^r
API String ID: 0-3653196314
Opcode ID: abb7c5e8af7bd39fb40e14badb50ce4a7ed0476c8f052dab7ac516293733050c
Instruction ID: 43c9ef6cd6ab0472926faec4fa8003067e9d8cb955c3dce6709ed8edeac7ff95
Opcode Fuzzy Hash: abb7c5e8af7bd39fb40e14badb50ce4a7ed0476c8f052dab7ac516293733050c
Instruction Fuzzy Hash: 9551B334A04219CFDB54DF64C894B9DBBB2BF89300F5045AAD40AAF366CB359D85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00DC1292, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

$g^r, xrefs: 00DC1349

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID: $g^r
API String ID: 0-3653196314
Opcode ID: d864192226800debf0059b139c120003af1b4dd0b587eb1cf4c976ca4c12a86f
Instruction ID: f7dcc6d1d70877107cb5ccfe9d6c71239cdf13009adbf52aaff8e59b7c390e65
Opcode Fuzzy Hash: d864192226800debf0059b139c120003af1b4dd0b587eb1cf4c976ca4c12a86f
Instruction Fuzzy Hash: 96412C78A08269CFCB54DF68C840B9DBBB1BF4A304F1044EAD44AAB356DB309D85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0BC0, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e8153f70d3e57def5fd602c283a8ba58808e4c7119faf53b167f57342212b6c
Instruction ID: b420cd2c39444fb34b9e18dc1a808c409fd518b7b8a32f3d26d6724d4f3880e2
Opcode Fuzzy Hash: 9e8153f70d3e57def5fd602c283a8ba58808e4c7119faf53b167f57342212b6c
Instruction Fuzzy Hash: 3B41B631B04114CFCB159F6CC414BAE7BE6AFC5310F25816AE94AAF391CEB1DC0697A1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0682, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fe6eb03ff9423abdf4ad2e50a28c77f2743ae903fa41270a2d06c4902611
Instruction ID: e51a469a2d3f6b17e3d4c8ca12aed108543f2e918194958e7c0477381caf256b
Opcode Fuzzy Hash: 4108fe6eb03ff9423abdf4ad2e50a28c77f2743ae903fa41270a2d06c4902611
Instruction Fuzzy Hash: A3411C3162C201CBC7147BB8EC5866D7BA6AFC0755B25856AE402CB3B5DF708C41ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC2BF8, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32629ee4f38dc3714afe6f9682539d240e6f59df1567d225cbdf9ae741705d70
Instruction ID: a961b82c7f7bae020148d1167e7d0a5ad38481cf6c93872f39935b68e3e15701
Opcode Fuzzy Hash: 32629ee4f38dc3714afe6f9682539d240e6f59df1567d225cbdf9ae741705d70
Instruction Fuzzy Hash: A241233160D393DFC31187249984F7D7FA0AF82300B2A81AFD086CF2A2C661DC06D762

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0690, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c0ff6f6062c455b71ba8f476a757f7e321a62ecc5ab84791522fb3e4f34d1f
Instruction ID: d8e3e1f72204b8c51cb4d8edf8b3b86661b9039a23781a987d0d8480cb0f06b0
Opcode Fuzzy Hash: 82c0ff6f6062c455b71ba8f476a757f7e321a62ecc5ab84791522fb3e4f34d1f
Instruction Fuzzy Hash: A6413D3162C201CBC7187BB8EC4C66D7AA6AFC0751764856AF402CB3B5DF70DC41ABA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DC02DA, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ae9733460568adfc7a99e83f6bd0f479b3c6090a8029e5f1a071a94e28464f
Instruction ID: 562ea86206d95469a8699bd5d753504168317ef00b667f21718243dd7e169fd6
Opcode Fuzzy Hash: 34ae9733460568adfc7a99e83f6bd0f479b3c6090a8029e5f1a071a94e28464f
Instruction Fuzzy Hash: CF314B30A05206CFDB58DB68C454FAE7FF2AF88710F24846DD606AB7A1DB71AC41DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DC08B2, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b7ba96df5687219738f2d21da7f14934154d55a27f1eb846fe11f084501769d
Instruction ID: e8f56ae5adda95413225c5320fd581b8f052657b593e305b2ca46e6517e94fdb
Opcode Fuzzy Hash: 1b7ba96df5687219738f2d21da7f14934154d55a27f1eb846fe11f084501769d
Instruction Fuzzy Hash: 4F21F63262D102DBC7113BF5FC8CA5DBF61AF90756B24452AF526C2371DB60C841BBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DC25DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ac8c3011bf23121ba478d38488ff4f8c1f9d5369cb901b7ac91f8eb8a62719f
Instruction ID: 829f55220b7089ec3125adb65a4f06e901beae14351ae0ca91ad3bf7bec50539
Opcode Fuzzy Hash: 6ac8c3011bf23121ba478d38488ff4f8c1f9d5369cb901b7ac91f8eb8a62719f
Instruction Fuzzy Hash: BB31AD30A18246CFDB20DF25C840B6ABBF2FF84314F24C52DC015AB264CBB49949DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC21E8, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dfd47dba1fd06cd692df4f9be9d20564a9961ee199e5c32ae825f451fc81529
Instruction ID: 6ed00e08638abc583cb8ecd2976586a50668a3f49bbe68aadfdf1b32b6147fcb
Opcode Fuzzy Hash: 3dfd47dba1fd06cd692df4f9be9d20564a9961ee199e5c32ae825f451fc81529
Instruction Fuzzy Hash: DD312870E0820ADFCB44DBA4C545BBEBBB1FB45304F24816ED442AB3A1DA358E45DB66

Uniqueness

Uniqueness Score: -1.00%

Function 00DC21F8, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd019fc8aa8a0e82a8ab100eb5b4310c12cc7e789361470aaf6de65aefbb46d
Instruction ID: bfc52a9fae79f6c33d8e3d39798a995de211b7412d8a3284ee3bd2c3dea98ec5
Opcode Fuzzy Hash: 5fd019fc8aa8a0e82a8ab100eb5b4310c12cc7e789361470aaf6de65aefbb46d
Instruction Fuzzy Hash: 61210C30D0820ADFCB44DFA4C545BBEFBB1FB44300F20816ED542972A1DA759E41DB66

Uniqueness

Uniqueness Score: -1.00%

Function 00DC4190, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76396e6514bacbf1eddee3176aaa69e19cd89e79fc00f0d5e28f0699048a5195
Instruction ID: 258a01bbdb95c6fcc821c3d6011d096e033aec87d91bdc62db67947997500e2b
Opcode Fuzzy Hash: 76396e6514bacbf1eddee3176aaa69e19cd89e79fc00f0d5e28f0699048a5195
Instruction Fuzzy Hash: 33110A71B142068BDB24ABB4D825BBFBAAAEFC5340B60453EA54797240DE75C84057B1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0B18, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b877a550156050dfbfd08c6f5ee979ccf0eb9d8b7311d52b814d5df98acb6545
Instruction ID: 433a0627755c8ec7865fb41db8c5824c9d3761b987d0f4e40d4dc6b413bf4c7f
Opcode Fuzzy Hash: b877a550156050dfbfd08c6f5ee979ccf0eb9d8b7311d52b814d5df98acb6545
Instruction Fuzzy Hash: 3211C821B58157EBCB24E5748811F6E79A75B84B48F30456E9983E7240DA30CE00DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC11DF, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 674185f781ce18afcb62d9ac723a55c2c86939ad045b097569e179f199c52fcb
Instruction ID: 57c8315ed849e253820a91ff24bd3518ad8bf8d5385eb24ecb20733c01944a9f
Opcode Fuzzy Hash: 674185f781ce18afcb62d9ac723a55c2c86939ad045b097569e179f199c52fcb
Instruction Fuzzy Hash: F4115E3830D1908FC3059728D464A69BFA5AF8720072541EED086CF2A7CA658C098BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00DC2390, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b792b0a43a6e4e8972d069998827247c892fbe40212339b0b88a085ef2fab624
Instruction ID: a7960c11c734c3e8246330a8eb9162f21bb8305bf6a192e13da8f69e68432cbc
Opcode Fuzzy Hash: b792b0a43a6e4e8972d069998827247c892fbe40212339b0b88a085ef2fab624
Instruction Fuzzy Hash: 21115E71D1828ADFCB188F64D840FBE7FB1AB54304F20446ED186AB384DB718842DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0D46, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9308b72165e772f6a5dfbc2b2457e86be8ddc8499c68412bb40d0e207f16363
Instruction ID: d6c8d7630f57e17b71db2f30ca1764c8521e431370fc6079413df36ab765f32c
Opcode Fuzzy Hash: d9308b72165e772f6a5dfbc2b2457e86be8ddc8499c68412bb40d0e207f16363
Instruction Fuzzy Hash: 8E011B34318202CFCB009B78D494B597FE2EF85715B20846AE446CF675DA71DC499B51

Uniqueness

Uniqueness Score: -1.00%

Function 00DC05BA, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04e63a797b150c590eb7282800b4c400b46d80ac91961117bf2b70e32372709
Instruction ID: 0c93630e95d2ad73831dd2bc7d84273e209dda7c44b9940c1ed6bec423acab8a
Opcode Fuzzy Hash: b04e63a797b150c590eb7282800b4c400b46d80ac91961117bf2b70e32372709
Instruction Fuzzy Hash: 81F0DCA17081594BCB19777DA411BBE1A8B4BC4708B28802ED14ADF786DDB58C0303EA

Uniqueness

Uniqueness Score: -1.00%

Function 00DC05C8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a45e290f14d417ebed669551e2997f609f9791c152258b0373c5cebe8cb834c0
Instruction ID: 38eda511d46f9e8c04f176f68e8fe7a0e14e5a8ecb829ab169c33e6868dd394d
Opcode Fuzzy Hash: a45e290f14d417ebed669551e2997f609f9791c152258b0373c5cebe8cb834c0
Instruction Fuzzy Hash: 4EF090B131412947CB197B7DA411AAF668B9BC4B54764802EE14ADF385CDB58C0313FA

Uniqueness

Uniqueness Score: -1.00%

Function 00DC1209, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dbe48ffbcdc27ebf26ba058c231bc8d1ed1f2fa495cecb0ada3854b6b238f53
Instruction ID: c6cbdc3ffd4e8460c89487c7b020a2c73a3136f128213fcf00d50ee955788ff0
Opcode Fuzzy Hash: 3dbe48ffbcdc27ebf26ba058c231bc8d1ed1f2fa495cecb0ada3854b6b238f53
Instruction Fuzzy Hash: C6017C38318020CFC604A728D058E69BBE6BFC6704B2541BEE046CF376CF718C099B96

Uniqueness

Uniqueness Score: -1.00%

Function 00DC1218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd37737994e8076eb64e1ae32a872b9fe4020a4bf2392c6e8100a52c50069b82
Instruction ID: e57e739b0ea418df5bd2cf86eb5d3a6e8fcdbe9e834a1fc8fb6a0a054f27e682
Opcode Fuzzy Hash: dd37737994e8076eb64e1ae32a872b9fe4020a4bf2392c6e8100a52c50069b82
Instruction Fuzzy Hash: 48016238304020CBC604972CD054E69BBEABFC6710B2041AEE546CF366CF71DC099B95

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f9db72b34906ab24c60f10de114b7f39b8d31000eb2b9b7d6bcbb117041a0f7
Instruction ID: 749beafe4a80b1616dc36a11b96ac4445a55e5d8061c596d979a2fa9f30c4c11
Opcode Fuzzy Hash: 9f9db72b34906ab24c60f10de114b7f39b8d31000eb2b9b7d6bcbb117041a0f7
Instruction Fuzzy Hash: 98E0E532E19319DA9B505AF9D800FAFBFA9D7C5350F28452BDA47E3241DD70C80166B1

Uniqueness

Uniqueness Score: -1.00%

Function 00DC4180, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f64b3006d104655608b7f81ecdd4a395da42a91c80d51d2a71f241c87dcb9bc5
Instruction ID: f2f7bf414c3b8015fe46107562b7bf7d4f0466e3ed54c1796a1f9a5c0e64f6eb
Opcode Fuzzy Hash: f64b3006d104655608b7f81ecdd4a395da42a91c80d51d2a71f241c87dcb9bc5
Instruction Fuzzy Hash: 79F05531A0A3469ADB2016743C299EFBFA48AD5381B31043FE886C3200E67480084A72

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0908, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443211714eca25367db5b4ece8c0acce92d775ea5de8de75021e7283cc086758
Instruction ID: 72fc494a3f7155857e6d9b29f3dd38ca069485f25d7cf2716e5fff89c6b72dbd
Opcode Fuzzy Hash: 443211714eca25367db5b4ece8c0acce92d775ea5de8de75021e7283cc086758
Instruction Fuzzy Hash: FEF0EC30D1D394DBD7209AF48810F6F6FA54B81300F29046F8983A7282C8B48C02AA62

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0650, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eea0f7277478ac0f301802c65311d978b0e5b5d58d48b60492b8798c0b01c3e
Instruction ID: 7483eb7e8b56f9cdc48f5d30779370ca60847c354ef9429c2312454e39fbc1d3
Opcode Fuzzy Hash: 7eea0f7277478ac0f301802c65311d978b0e5b5d58d48b60492b8798c0b01c3e
Instruction Fuzzy Hash: E3D05E310DE3C5CFC7124BB018359A97F704E9220472484AFC4818A9A3C03A445BEB32

Uniqueness

Uniqueness Score: -1.00%

Function 00DC016F, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cccb4369d0ed8d26857039f5f59cf6a524c7d5116eb025d56447abd0665b401
Instruction ID: 235cd6637c913cb5d8555d21c70a51cf0fd0d9d800d0d1b5aed3d8e0b8534aca
Opcode Fuzzy Hash: 6cccb4369d0ed8d26857039f5f59cf6a524c7d5116eb025d56447abd0665b401
Instruction Fuzzy Hash: 5CE012316097408FCB155730D86556C3B61AF96115714067DD466CFBE1EA3A8486DA01

Uniqueness

Uniqueness Score: -1.00%

Function 00DC2D20, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c12920f740510e73ca503da6c6eef84ac3e7d583684a554210dde0868c1f7e34
Instruction ID: 12c6c79dd004817343209908f716ed2b73a29896ed04b291565e4d3588586b5b
Opcode Fuzzy Hash: c12920f740510e73ca503da6c6eef84ac3e7d583684a554210dde0868c1f7e34
Instruction Fuzzy Hash: FAD0A93418C282AAE35002A06C25FB63AA04738301F3905AE90CB2B1E68241C20176A2

Uniqueness

Uniqueness Score: -1.00%

Function 00DC02A1, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14fe705e8250f7681fed937959c73a27e71906d9e97c5b36a06972479d88c9e3
Instruction ID: e04d880640f9d558c7a10e356fb2f837e63537e4f9552676a75c95c0dbe43624
Opcode Fuzzy Hash: 14fe705e8250f7681fed937959c73a27e71906d9e97c5b36a06972479d88c9e3
Instruction Fuzzy Hash: B9D05E7B609A00CFD3609B24E854B89BBE1BB80310B66891DD0C60BB94C770EC068B00

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f433f3d566262ff5260be203e7a6fd361bcb301f426471b078e29b9d513dce0
Instruction ID: 99c5349e5325711a3cc20d9f5ebc69b77816e0be262be332b960d73b74400d24
Opcode Fuzzy Hash: 9f433f3d566262ff5260be203e7a6fd361bcb301f426471b078e29b9d513dce0
Instruction Fuzzy Hash: 53D01230218304CFCB082B70E81982833AABB8920A300087CE8068FB60EF37E880DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00DC2D30, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eaca9a904095cfad30f013c75ba1a2c05bf7f240695aeefeeee99547569dcf4
Instruction ID: be7b92e01b023a347aa235d24e47c56a0110ed3274d0e17a74258609bc48ef52
Opcode Fuzzy Hash: 6eaca9a904095cfad30f013c75ba1a2c05bf7f240695aeefeeee99547569dcf4
Instruction Fuzzy Hash: 12C092341AC60AE6E5941284AC1AFB47228973CB12F34080AA2CF1B1A81681E21071F6

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a93fd8e7d22196d3af65e226c189a95cbce714a751baf4ba08666f9a37e90e6
Instruction ID: cd51196776d6b7472fcf8f768aba65b6ed645450ed4432c6a71b6df5295c5365
Opcode Fuzzy Hash: 7a93fd8e7d22196d3af65e226c189a95cbce714a751baf4ba08666f9a37e90e6
Instruction Fuzzy Hash: B5C02B300DD306CFC3041FF01C08E35BA0856C0304330C439840101220C932D471FD31

Uniqueness

Uniqueness Score: -1.00%

Function 00DC2EC0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.228456444.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a5fd75f282cfa2f8a9893b5ba313a4dd69be5f7058e38e10218f6e4e4077b67
Instruction ID: 2f22ebcc09bc881c890958068231421b1eaa5644111b7f2a13afb32a2741420a
Opcode Fuzzy Hash: 4a5fd75f282cfa2f8a9893b5ba313a4dd69be5f7058e38e10218f6e4e4077b67
Instruction Fuzzy Hash: E5B0123021C20A0B174057B52C0CF32338C46406057480064A80CD1500F510D4903350

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 3528 Parent PID: 3388 dhcpmon.exeCOMMON

Executed Functions

Function 048F3850, Relevance: 2.0, Strings: 1, Instructions: 762COMMON

Download Yara Rule

Strings

>_?r, xrefs: 048F3F9D

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID: >_?r
API String ID: 0-2961507119
Opcode ID: 1c708c0f8b67b06eb13bd861cb6ceb71ba49d38784b971d1599987ce6a197d9c
Instruction ID: 002bf34016f831b810487eb2424f0c3e5f60012b94e66cb6d73319f760f63c8d
Opcode Fuzzy Hash: 1c708c0f8b67b06eb13bd861cb6ceb71ba49d38784b971d1599987ce6a197d9c
Instruction Fuzzy Hash: 9952B271A04209CFCB15CF68C8809AABBF2FF85314B158AAADE05DB256D771FD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 048F23A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ebbf34e94332780ac0b3d22381e9a4ac477a19a7464371ccf425791ae6b557
Instruction ID: 03ce7e0779d8cedb2904d08ef09a9a420fda18efe70444288da07513510c96db
Opcode Fuzzy Hash: 99ebbf34e94332780ac0b3d22381e9a4ac477a19a7464371ccf425791ae6b557
Instruction Fuzzy Hash: CC12AE30E01625CFC724DF69C88066DBBF2BF88314F148AAAD505DB359EB76A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 048F2FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3df15ab78cdc220c65f59946bf3e71e6fc2eca286f108dd5cd82e24f4e1788
Instruction ID: 9f24a2f5ab371d19097731ba18abac2eadcb310eb42ba04cd08d764f70a759c5
Opcode Fuzzy Hash: fb3df15ab78cdc220c65f59946bf3e71e6fc2eca286f108dd5cd82e24f4e1788
Instruction Fuzzy Hash: 91818F71F011159BD714DB69CC40A6EBBF3AFC4710F2A8976E905EB359DE31AC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 048F09A5, Relevance: 5.2, Strings: 4, Instructions: 175COMMON

Download Yara Rule

Strings

X1ar, xrefs: 048F0A5A
X1ar, xrefs: 048F0A98
X1ar, xrefs: 048F0A50
X1ar, xrefs: 048F0AA2

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID: X1ar$X1ar$X1ar$X1ar
API String ID: 0-346077691
Opcode ID: ba492e2aa68643aab54681883b1abe32763a69a5f19b0c92a1d857f6d8a41994
Instruction ID: c0eaca6307e698bc65f32b3051f45996c580ca517f5c0044f385a625b2f60f77
Opcode Fuzzy Hash: ba492e2aa68643aab54681883b1abe32763a69a5f19b0c92a1d857f6d8a41994
Instruction Fuzzy Hash: 0351C531B14255DFCB149F64DC54AAE77F2EF85308F108A6AEA46DB355DB30AD02CB81

Uniqueness

Uniqueness Score: -1.00%

Function 048F02E8, Relevance: 4.0, Strings: 3, Instructions: 208COMMON

Download Yara Rule

Strings

hem, xrefs: 048F032A, 048F033E, 048F0378, 048F03BF, 048F04CA
`5ar, xrefs: 048F03A5
:@:r, xrefs: 048F0537

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID: :@:r$`5ar$hem
API String ID: 0-3443689985
Opcode ID: f18280d9fa3ef773b30933e5ad3bece95e17fc03be611c4357ca1abe9f7ca38a
Instruction ID: b09e645f0a6830fa34d4de6957970f1cdd2d709c4aad737289a459c6f8e6f48b
Opcode Fuzzy Hash: f18280d9fa3ef773b30933e5ad3bece95e17fc03be611c4357ca1abe9f7ca38a
Instruction Fuzzy Hash: 53717230B042058FDB08DF68C85066E7BE3AFCA704F14856AD606EB792DB75AC419B91

Uniqueness

Uniqueness Score: -1.00%

Function 048F2D58, Relevance: 2.6, Strings: 2, Instructions: 135COMMON

Download Yara Rule

Strings

>_?r, xrefs: 048F2DA5
, xrefs: 048F2E76

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID: $>_?r
API String ID: 0-334426466
Opcode ID: 2eec0fcd408b3f282930e481e58a499eb6501fc2773a54a17208bee3e445732f
Instruction ID: 86a71baed585497c1ddc1a10efdc92dc9061dabdb1a9edfbcd6b8c0c90593644
Opcode Fuzzy Hash: 2eec0fcd408b3f282930e481e58a499eb6501fc2773a54a17208bee3e445732f
Instruction Fuzzy Hash: 9441B531F042198BCB14DF65CC445BEB762ABC0314B34CEB6D616DB646D636F852CB92

Uniqueness

Uniqueness Score: -1.00%

Function 048F21F8, Relevance: 2.6, Strings: 2, Instructions: 98COMMON

Download Yara Rule

Strings

nm, xrefs: 048F22F1
r*+, xrefs: 048F230F

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID: nm$r*+
API String ID: 0-472714090
Opcode ID: 6e48bdc2514ae5b08578bfd16c0249ff947463f68e86b9d41eb3b5793e9d94ff
Instruction ID: ac07ee4164d38340c10e667257c934c181238781eb22e2562265d2ccedbea27b
Opcode Fuzzy Hash: 6e48bdc2514ae5b08578bfd16c0249ff947463f68e86b9d41eb3b5793e9d94ff
Instruction Fuzzy Hash: D3411D30E05209DFCB44DFE5C9456AEBBB2FF44304F1089AAD502E7264E736AA45DF52

Uniqueness

Uniqueness Score: -1.00%

Function 048F12A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

$g^r, xrefs: 048F1349

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID: $g^r
API String ID: 0-3653196314
Opcode ID: f51447b2fb087c70a71f189afaaaf21afde0887884f67b265a30a69f3afd69e3
Instruction ID: 62d1a7efce2adc1ec52b52d453dfe5d6e9faaaf43f2517a22912facb713d9899
Opcode Fuzzy Hash: f51447b2fb087c70a71f189afaaaf21afde0887884f67b265a30a69f3afd69e3
Instruction Fuzzy Hash: 0C22E734A00A45CFC724DF28C494A6ABBF2FF89314F108A99D95A9B759DB34BD45CF40

Uniqueness

Uniqueness Score: -1.00%

Function 006CAA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 006CAAB1

Memory Dump Source

Source File: 00000008.00000002.238552753.00000000006CA000.00000040.00000001.sdmp, Offset: 006CA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 203bb2b003b98fe6316de2869e46eb5e37ab338c1706c07a2a08846d857bdef4
Instruction ID: a93be6b20f1bcb3002eef6f877cd46e1dabe4f0ee0bc29233d15a85e1069e8be
Opcode Fuzzy Hash: 203bb2b003b98fe6316de2869e46eb5e37ab338c1706c07a2a08846d857bdef4
Instruction Fuzzy Hash: 5931C572544384AFE7228B65CC45FA7BFECEF06710F08849BED819B252D264E809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 006CAAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,3D86F768,00000000,00000000,00000000,00000000), ref: 006CABB4

Memory Dump Source

Source File: 00000008.00000002.238552753.00000000006CA000.00000040.00000001.sdmp, Offset: 006CA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 6640ac34dc41ebe90375c332c014cc317631b81bb43066ef7769f4cd6a67679e
Instruction ID: 67b816ad3cb1a708f9bf6f5e9f9a25ab51d97d6616674ebbabc01cf03d06a3c3
Opcode Fuzzy Hash: 6640ac34dc41ebe90375c332c014cc317631b81bb43066ef7769f4cd6a67679e
Instruction Fuzzy Hash: 18319371109384AFD722CB65CC44FA2BFF9EF06314F18849EE985CB252D264E949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04C700F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04C7019D

Memory Dump Source

Source File: 00000008.00000002.239404786.0000000004C70000.00000040.00000001.sdmp, Offset: 04C70000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 1d07080c217f09ea090dac711be9d2f442154d2021242614956d0af42f22f4b3
Instruction ID: bf3de918831322a9794d084116d692556bac1eb0efcfaeb98e2ff3f350d1c953
Opcode Fuzzy Hash: 1d07080c217f09ea090dac711be9d2f442154d2021242614956d0af42f22f4b3
Instruction Fuzzy Hash: 88318FB5509780AFE712CF25DC84F56FFE8EF06210F08849AE9848B292D375E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 006CAF50, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 006CAFEA

Memory Dump Source

Source File: 00000008.00000002.238552753.00000000006CA000.00000040.00000001.sdmp, Offset: 006CA000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7ac4b1acfaaab287a3a4fc62d4ec284911ba93c7a711d9f54b50cc2bbcfa12e6
Instruction ID: dd82f91d88545e3510757b5b2d2f90ec259e6479e5a984e91cd064a9d32c7581
Opcode Fuzzy Hash: 7ac4b1acfaaab287a3a4fc62d4ec284911ba93c7a711d9f54b50cc2bbcfa12e6
Instruction Fuzzy Hash: 5321717140D3C06FD7138B258C51B61BFB4EF87624F0A41DBE984CB6A3D224A919C772

Uniqueness

Uniqueness Score: -1.00%

Function 006CAA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 006CAAB1

Memory Dump Source

Source File: 00000008.00000002.238552753.00000000006CA000.00000040.00000001.sdmp, Offset: 006CA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 4dcdcb4a0002ad4866f8dff724d68c2fb41902230470ef1d0adf73eef29fa9fd
Instruction ID: d0d6dd55aeeb413726003c1db8f9c630b70119b074083219892ad789d873e26d
Opcode Fuzzy Hash: 4dcdcb4a0002ad4866f8dff724d68c2fb41902230470ef1d0adf73eef29fa9fd
Instruction Fuzzy Hash: 0C219F72500604AEE7219BA5CD84FABFBECEF04724F14855BEE459A241D664E809CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 04C7012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04C7019D

Memory Dump Source

Source File: 00000008.00000002.239404786.0000000004C70000.00000040.00000001.sdmp, Offset: 04C70000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: ac83bb30bfe7e40954359079563f73ba190b0e6d90eabbf9f119de29b7ac9063
Instruction ID: b5e6f221d2b43b29deb0c10662c789aaa5f7300cfe4313b3fa9321f2b4c768d5
Opcode Fuzzy Hash: ac83bb30bfe7e40954359079563f73ba190b0e6d90eabbf9f119de29b7ac9063
Instruction Fuzzy Hash: B6217C75604240AFE720DF26D985B6AFBE8EF05760F18846AED458B241E771E504CB71

Uniqueness

Uniqueness Score: -1.00%

Function 006CAB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,3D86F768,00000000,00000000,00000000,00000000), ref: 006CABB4

Memory Dump Source

Source File: 00000008.00000002.238552753.00000000006CA000.00000040.00000001.sdmp, Offset: 006CA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 3ada41eb3d59aa8f91f86de59a80618d338c61ca1757f8efc03a9a0457e18c36
Instruction ID: bb01de181ed382ba543866f0523f95f9b869e845fbcfa49822d2eb7bdb3ebdff
Opcode Fuzzy Hash: 3ada41eb3d59aa8f91f86de59a80618d338c61ca1757f8efc03a9a0457e18c36
Instruction Fuzzy Hash: 62218E71500608AFE720DF65CC80FA7FBEDEF15714F1484AAEE459B351D660E808CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 006CA51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 006CA58A

Memory Dump Source

Source File: 00000008.00000002.238552753.00000000006CA000.00000040.00000001.sdmp, Offset: 006CA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 63f6f4c19a8068066e7a3099ad203f9157bcd217bb7fc2c6996e9b8a9adcac59
Instruction ID: 4bbedae80f7a6602f0413582a826a15954f3eea20ad94537a49d271537ff3cee
Opcode Fuzzy Hash: 63f6f4c19a8068066e7a3099ad203f9157bcd217bb7fc2c6996e9b8a9adcac59
Instruction Fuzzy Hash: 9C116371409384AFDB228F55DC44E62FFF4EF4A214F08859AEE858B252C275A518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 006CB7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 006CB841

Memory Dump Source

Source File: 00000008.00000002.238552753.00000000006CA000.00000040.00000001.sdmp, Offset: 006CA000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 62342e71e430dac79e4232fcd8572239ba4e3e843b6630c5e93e6867098314d5
Instruction ID: d068c540722bee20f4cd7504d6aaae4c50760c5e2d68b0d47fbacaef64f90c39
Opcode Fuzzy Hash: 62342e71e430dac79e4232fcd8572239ba4e3e843b6630c5e93e6867098314d5
Instruction Fuzzy Hash: EF218C724097C09FDB128B21DC51AA2BFB4EF17324F0D84DAEDC44F263D265A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 006CBB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 006CBBB9

Memory Dump Source

Source File: 00000008.00000002.238552753.00000000006CA000.00000040.00000001.sdmp, Offset: 006CA000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 19f7c9786826c2f660145e98d14ace832e7345f05b2c1a06dcb219e69f04a902
Instruction ID: 360d8b92bebae8e1c574e056f637df76fdfca21895e0f92c719ea4a6c6f6a31b
Opcode Fuzzy Hash: 19f7c9786826c2f660145e98d14ace832e7345f05b2c1a06dcb219e69f04a902
Instruction Fuzzy Hash: 4911D3754093C0AFDB228F25CC45B52FFB4EF16220F0884DEED858B663D265A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 006CBE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 006CBE70

Memory Dump Source

Source File: 00000008.00000002.238552753.00000000006CA000.00000040.00000001.sdmp, Offset: 006CA000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 019fae8004d227a1d1206024ef8ee3a4d5452eecbe4c1be701be27b3340a664e
Instruction ID: 9832c5f1a0deb8099b9dc76628dc5154d590f21b316c277b86100007f6f0eac5
Opcode Fuzzy Hash: 019fae8004d227a1d1206024ef8ee3a4d5452eecbe4c1be701be27b3340a664e
Instruction Fuzzy Hash: A3117C758093C0AFD7128B259C44BA2BFB4DF47624F0980DEED848F263D265A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 006CB71E, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 006CB78A

Memory Dump Source

Source File: 00000008.00000002.238552753.00000000006CA000.00000040.00000001.sdmp, Offset: 006CA000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: bd69bb8aad3c9663917737be0223a76ed263022051a016e36d9934c4d26d6198
Instruction ID: 0ab201b52432c992288594406e5f6b063d0eaf5e4c8c6c89d229aa2785c9bfe7
Opcode Fuzzy Hash: bd69bb8aad3c9663917737be0223a76ed263022051a016e36d9934c4d26d6198
Instruction Fuzzy Hash: F9116071408384AFDB228F55DC44E52FFF4EF4A320F08859EEE858B662C375A458DB61

Uniqueness

Uniqueness Score: -1.00%

Function 006CA75B, Relevance: 1.6, APIs: 1, Instructions: 52comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 006CA7BC

Memory Dump Source

Source File: 00000008.00000002.238552753.00000000006CA000.00000040.00000001.sdmp, Offset: 006CA000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d85ecc325a4a264ca75f85bcd13360810e7f72ad3c0330b0b01ddb02e4d4809c
Instruction ID: d41dcb2c24eedd934db44931bafbf9195a3fa8daf0dab25ba3b52dde68993281
Opcode Fuzzy Hash: d85ecc325a4a264ca75f85bcd13360810e7f72ad3c0330b0b01ddb02e4d4809c
Instruction Fuzzy Hash: BE118F75449384AFD712CF25DC44B92BFB4EF42224F0984EBED458F253D279A948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 006CA8CC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 006CA926

Memory Dump Source

Source File: 00000008.00000002.238552753.00000000006CA000.00000040.00000001.sdmp, Offset: 006CA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: b9efbc3b18ed6d8808220a4abf4f60990cc1d87a48b7146498866691cd916cf4
Instruction ID: ecf4a5afe2e8642f71ee4c8ccc268690fbcca8c5f9298048faad7a35d7b9d27e
Opcode Fuzzy Hash: b9efbc3b18ed6d8808220a4abf4f60990cc1d87a48b7146498866691cd916cf4
Instruction Fuzzy Hash: A9117C71409784AFD7218F55DC85B52FFF4EF16320F09849AEE854B262C275A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 006CA546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 006CA58A

Memory Dump Source

Source File: 00000008.00000002.238552753.00000000006CA000.00000040.00000001.sdmp, Offset: 006CA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 613ad3ade6f8a9d7bf94eb0db08fc935baa204569cce9166116231420f1f06a7
Instruction ID: 16afccba370d65216c2adfa190cda5b5ff04773cddde41bc0e7006fefb5a43d0
Opcode Fuzzy Hash: 613ad3ade6f8a9d7bf94eb0db08fc935baa204569cce9166116231420f1f06a7
Instruction Fuzzy Hash: 33016D71400644EFDB218F95D844B66FFE1EF48324F18C59EDE494A612C275E418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 006CB746, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 006CB78A

Memory Dump Source

Source File: 00000008.00000002.238552753.00000000006CA000.00000040.00000001.sdmp, Offset: 006CA000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 95285b289c5484e54acedb42c178d4170075b20f211c2f2b00d69649a4c022bc
Instruction ID: 6e8629cd2284527921a2b0241deb9df3b9477782f9d3c1025b99388b3b400804
Opcode Fuzzy Hash: 95285b289c5484e54acedb42c178d4170075b20f211c2f2b00d69649a4c022bc
Instruction Fuzzy Hash: 95015B71400640AFDB218F55D885B66FFE1EF48320F1895AEDE494A622D376E418DF71

Uniqueness

Uniqueness Score: -1.00%

Function 006CAF9A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 006CAFEA

Memory Dump Source

Source File: 00000008.00000002.238552753.00000000006CA000.00000040.00000001.sdmp, Offset: 006CA000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 81c006432dc2a7084152d2d21af101d53ff3e815b621b466b6fa1231ae3c218f
Instruction ID: c9ce29d6646ceae422e03258fa287139ecff0d635bb1c799721929600c410956
Opcode Fuzzy Hash: 81c006432dc2a7084152d2d21af101d53ff3e815b621b466b6fa1231ae3c218f
Instruction Fuzzy Hash: 66018B72500600ABD210DF16DC82F26FBA8EB88A20F14815AED084B741E331F916CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 006CBB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 006CBBB9

Memory Dump Source

Source File: 00000008.00000002.238552753.00000000006CA000.00000040.00000001.sdmp, Offset: 006CA000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f64f834b3bd6feebd277d8e5e5b1bd165da804bc2beb6cb9e826bb9eb6009287
Instruction ID: 23bcc2ec964bfa505a815ea4137b9ff038745af7386933c9d42145901824d0b5
Opcode Fuzzy Hash: f64f834b3bd6feebd277d8e5e5b1bd165da804bc2beb6cb9e826bb9eb6009287
Instruction Fuzzy Hash: B501B135504640DFDB208F15D885B66FFA0EF14320F18C09EDE454B626C771E818DF61

Uniqueness

Uniqueness Score: -1.00%

Function 006CA78A, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 006CA7BC

Memory Dump Source

Source File: 00000008.00000002.238552753.00000000006CA000.00000040.00000001.sdmp, Offset: 006CA000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 2fdfad5c1c1dcc9975c4d4226b2155c6c3a9c8de8399eb4d56ee2c29aaec0a1e
Instruction ID: 7f84bb7bb514d02459ab0634beeef4bdad81e9f823abcde293b3a17117d8329d
Opcode Fuzzy Hash: 2fdfad5c1c1dcc9975c4d4226b2155c6c3a9c8de8399eb4d56ee2c29aaec0a1e
Instruction Fuzzy Hash: 4601AD788042449FDB10DF55D884BA6FFE4EF44324F18C4AADE088F702D2B5A808CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 006CB806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 006CB841

Memory Dump Source

Source File: 00000008.00000002.238552753.00000000006CA000.00000040.00000001.sdmp, Offset: 006CA000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2138f2f8c7a39a8d754196dd664d44efa4aed2fdebe2f0f77a97166a344e78d6
Instruction ID: c3574a4291e986d136d7f1833c692b1076b3611cf8f2d7eac99c2e721e2f7edc
Opcode Fuzzy Hash: 2138f2f8c7a39a8d754196dd664d44efa4aed2fdebe2f0f77a97166a344e78d6
Instruction Fuzzy Hash: E5018B31800644DFDB208F56D885B66FFA4EF18720F18D09EDE494B222D3B5A418DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 006CA8EE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 006CA926

Memory Dump Source

Source File: 00000008.00000002.238552753.00000000006CA000.00000040.00000001.sdmp, Offset: 006CA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: a02972e1e71e0fe65389eb9ec68e41e68dab4ced321e511551c3d3db733603f5
Instruction ID: 251de7002928f2bb1b27f63cd427b76114d87dc28b69cd26b6b19ce8a8062db9
Opcode Fuzzy Hash: a02972e1e71e0fe65389eb9ec68e41e68dab4ced321e511551c3d3db733603f5
Instruction Fuzzy Hash: C301AD31400648DFDB208F45D886B62FFA0EF05324F18C1AADE8A0B312C2B5A809DF72

Uniqueness

Uniqueness Score: -1.00%

Function 006CBE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 006CBE70

Memory Dump Source

Source File: 00000008.00000002.238552753.00000000006CA000.00000040.00000001.sdmp, Offset: 006CA000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: b73c40206d0b69c54eb464411bb6e095780a2835601a135e448963086161a837
Instruction ID: 281e218ec7abd1f0d150a3920cd4193b6dfb77ff8db494c4cab0b7402deb72c2
Opcode Fuzzy Hash: b73c40206d0b69c54eb464411bb6e095780a2835601a135e448963086161a837
Instruction Fuzzy Hash: 14F0AF35804644DFDB209F15D885BA2FFA0EF08720F18D0AADE494B312D3B5A408CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 048F0682, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

}m, xrefs: 048F074F

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID: }m
API String ID: 0-1855882668
Opcode ID: 71faa74af0e3fa5a1c14c4620a7512847e96b62aed0cb947be5c4331430a6c58
Instruction ID: cd6aba0ef9d49449543450871d2a6a59e48890621a3af2c9cd353548435cd8ab
Opcode Fuzzy Hash: 71faa74af0e3fa5a1c14c4620a7512847e96b62aed0cb947be5c4331430a6c58
Instruction Fuzzy Hash: 7E418B30B0A2458FC7047F38EC1866D3BA7BF8170671566ABE902CB2B5EF615D419B92

Uniqueness

Uniqueness Score: -1.00%

Function 048F1458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

$g^r, xrefs: 048F14C7

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID: $g^r
API String ID: 0-3653196314
Opcode ID: 34e3a946b23981b38a706fcb92e8b63fdd5641a1d4a33c18b006e1c3f1182f21
Instruction ID: e2488fba092523c1ff218bc3751fa6f6065432e0f623cc9e725a16d6eb1cd2da
Opcode Fuzzy Hash: 34e3a946b23981b38a706fcb92e8b63fdd5641a1d4a33c18b006e1c3f1182f21
Instruction Fuzzy Hash: 7951E434A00258CFDB54EF64C894B98BBF2BF89304F1045AAD50AAB369DB35AD85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 048F02DA, Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

hem, xrefs: 048F032A, 048F033E, 048F0378, 048F04CA

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID: hem
API String ID: 0-2450309517
Opcode ID: a812de2c67116168b61db9fffedca50c8db7fb2b58a2891d5861650c79d1df35
Instruction ID: 585e9cda73f27a32eebe13982ab114f8442487ca0194cd58a2590d7cc15daf4c
Opcode Fuzzy Hash: a812de2c67116168b61db9fffedca50c8db7fb2b58a2891d5861650c79d1df35
Instruction Fuzzy Hash: 62414F30B01205DFDB18CF68C854BAE7BF2AF8A714F148969D602EB792DB71AC41DB51

Uniqueness

Uniqueness Score: -1.00%

Function 048F1292, Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

$g^r, xrefs: 048F1349

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID: $g^r
API String ID: 0-3653196314
Opcode ID: 7ff381e3856de7fa106257392f1d4ea71a48ca7a2037a4cf0ba899a736463fbd
Instruction ID: b2c2495ea0ee84aa182533a92d29345365a739918649f18c5417c99b0cf1ec71
Opcode Fuzzy Hash: 7ff381e3856de7fa106257392f1d4ea71a48ca7a2037a4cf0ba899a736463fbd
Instruction Fuzzy Hash: 69413634A04258CFCB64DF68C894BADBBB2BF4A344F0045AAD50AEB355DB30AD84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 048F0007, Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

$lm, xrefs: 048F00E2

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID: $lm
API String ID: 0-978194016
Opcode ID: 633fcae2ef8ff1290f8b2fe1d6f9e751048143b8f2d8d06ab86c9f23901a807d
Instruction ID: 17eefe61fefe56360f0971bc978b60f1fe49fa3a6239d3b9dc8bfed11456e68d
Opcode Fuzzy Hash: 633fcae2ef8ff1290f8b2fe1d6f9e751048143b8f2d8d06ab86c9f23901a807d
Instruction Fuzzy Hash: 54317E3060E3C69FC706AB34DC645587FB1BE43208B08599FE581CB297EA749849CB13

Uniqueness

Uniqueness Score: -1.00%

Function 048F02A1, Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

Lmm, xrefs: 048F02B6

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID: Lmm
API String ID: 0-1704043961
Opcode ID: 93f38285056cf6e91a73021114431caa3fe9f877532409b4270c135bdaca6240
Instruction ID: 4b2f67ba53ce7bed62c458c01b575d4ba025dae5105606495a87bd5bd350a8d3
Opcode Fuzzy Hash: 93f38285056cf6e91a73021114431caa3fe9f877532409b4270c135bdaca6240
Instruction Fuzzy Hash: 0FE08C2460E7448FC3228B30E891482BFF2BF8A7103059A8ED0C287956C7207C059B12

Uniqueness

Uniqueness Score: -1.00%

Function 048F2BF8, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95421619429053c3df40687cce81e3377f9698c854643882268ed704ea3be720
Instruction ID: 1cc9b5bf0448fc3defe962a7f0b04191ba8434cd253085950a7d541160d5d1a7
Opcode Fuzzy Hash: 95421619429053c3df40687cce81e3377f9698c854643882268ed704ea3be720
Instruction Fuzzy Hash: 4B41373470E3898FC71597349C94979BFB4AF42304B058BEBD696CB5A2F222AC06D752

Uniqueness

Uniqueness Score: -1.00%

Function 048F0BC0, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2363ef92742066359c385f09bcabf59347a5f325ab222f734e655bfcceaadb0d
Instruction ID: 29aaaf2c12b105eba7e349a0c1ea6f4cbcacb747dc8d60941c007e0af1904bae
Opcode Fuzzy Hash: 2363ef92742066359c385f09bcabf59347a5f325ab222f734e655bfcceaadb0d
Instruction Fuzzy Hash: 1241D931B051088FC7159F2CC414AAE7BE6EFC6310F15856BEA06DF391DEB1AD069791

Uniqueness

Uniqueness Score: -1.00%

Function 048F20D0, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c6b891b2c8a6fcc1a3e4a0e70bffcacc4ed3a61e9237b35bb002ff20dea2c4
Instruction ID: f9b8f6220cefbf39a874072a65dde70890fb607c3b3cebd70a983c06a80d0359
Opcode Fuzzy Hash: 21c6b891b2c8a6fcc1a3e4a0e70bffcacc4ed3a61e9237b35bb002ff20dea2c4
Instruction Fuzzy Hash: CD319430B04249DFDB05EFA8CC8057EBBB1FB85300B1189A6DA06DB255E731BC81CB95

Uniqueness

Uniqueness Score: -1.00%

Function 048F21E8, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6bc27d8dde7dc878017ff657c551f82ac092735c13e229f76ef7873e2c527ba
Instruction ID: 7a698a595bbb573f2dd2c7058be3b10c6aaee60e3f4fb67c98392f4cefbf5ff7
Opcode Fuzzy Hash: d6bc27d8dde7dc878017ff657c551f82ac092735c13e229f76ef7873e2c527ba
Instruction Fuzzy Hash: B4314F30E08209DFCB84DFE4C9456BDBBB2FF45304F104A9AC602D72A5E636AA45DB52

Uniqueness

Uniqueness Score: -1.00%

Function 048F25DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 489546de17d9951b13fd2429a3a1b4662724564392e80ed18d7581e43e0f056e
Instruction ID: 83f09b899497e293fb5b6eb09f1b9b71ecfe68b2ac1263bf8a97ca16c6b3cc5c
Opcode Fuzzy Hash: 489546de17d9951b13fd2429a3a1b4662724564392e80ed18d7581e43e0f056e
Instruction Fuzzy Hash: 76318B30E01249CFDB60DF66D84065EBBF2BF84314F10E66AC1059F269DBB9A689CF41

Uniqueness

Uniqueness Score: -1.00%

Function 048F4190, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1025785378677cf673090ec5ec3ac348f3ebdfbecfc6d912d113b4a55f6ca14
Instruction ID: 5edbf52f6aeeb80ad146b24e7326c71a3db5767f0d447f4abd4ab3868a89373f
Opcode Fuzzy Hash: b1025785378677cf673090ec5ec3ac348f3ebdfbecfc6d912d113b4a55f6ca14
Instruction Fuzzy Hash: C811E771B002199BDB14ABF8DC145BF7BA7AFD4704B110A3F9607D7244FE71A94097A2

Uniqueness

Uniqueness Score: -1.00%

Function 048F11DF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cfcdf8f1a29156b2f1b6d39cb0d78b010a4eea0cedda5f59cf828fac4bdc70f
Instruction ID: aaf6c79562618add040a76bdf8357364a1df128f4fc50bb58a37f0f62f96088d
Opcode Fuzzy Hash: 9cfcdf8f1a29156b2f1b6d39cb0d78b010a4eea0cedda5f59cf828fac4bdc70f
Instruction Fuzzy Hash: 4511A5303081C4CFC305D7A8C8588697FE5BF8660471546EBE646CB677DF71AC099B52

Uniqueness

Uniqueness Score: -1.00%

Function 048F05BA, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8af3310b95109284749bbde207e03c4ca5161277eb8965f8a2313beb5e49e7a2
Instruction ID: 71af0805b125ef9674cc823bfa17503154436b66bcb4ef74cf3a1e7475a2c9b9
Opcode Fuzzy Hash: 8af3310b95109284749bbde207e03c4ca5161277eb8965f8a2313beb5e49e7a2
Instruction Fuzzy Hash: DC0121303002AA0BCB0A3B3D98115BF3B8BABC2614708406FE106DF3C2DE649C0343EA

Uniqueness

Uniqueness Score: -1.00%

Function 048F1209, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f95c377bd094b9992f1c37a7cba05f83da3802b74c52cf71631725a838d0842
Instruction ID: c07b0a1d319718f196129a1881edcb5e2c3b2d01a4c2444fad5b703f009785ec
Opcode Fuzzy Hash: 3f95c377bd094b9992f1c37a7cba05f83da3802b74c52cf71631725a838d0842
Instruction Fuzzy Hash: 3C019E30308180CFC704DBA8D45886A7BE6AF9630472506BBE506CB7B6DE719C099B42

Uniqueness

Uniqueness Score: -1.00%

Function 048F05C8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61359154743eeee77e96fe37dda9fff0c8f4659995e170fc5484265c54f096cb
Instruction ID: 574c3616a7fef3c2e0ab44728f7c85a530f1b3cf1ff590311c243f7cbcaf8e46
Opcode Fuzzy Hash: 61359154743eeee77e96fe37dda9fff0c8f4659995e170fc5484265c54f096cb
Instruction Fuzzy Hash: 70F0243070012E07CB083B7D9811ABF268F9BC5658714402FE206DF385DEB49C0303EA

Uniqueness

Uniqueness Score: -1.00%

Function 048F1218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a6217f3d470af502c72325b2a15e186c772733d1eee1e97deb5910b0f9be2d
Instruction ID: 2baef46ff27b9476af6a3679af88ba14fb8db9e9697a9608b6983d749a2be512
Opcode Fuzzy Hash: 16a6217f3d470af502c72325b2a15e186c772733d1eee1e97deb5910b0f9be2d
Instruction Fuzzy Hash: 65018130304014CFC744EBACD4589697BEABFC5715B2046AAE606CB775DFB2AC099B82

Uniqueness

Uniqueness Score: -1.00%

Function 048F4180, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4618c893d9e4e1af62e1f2e7188193f76db78f1850197ab66424f738116444a7
Instruction ID: 17a8b08e4105c428e423f07009b002961162cbbfcbb4f1a5b5cd74c8f5c98fa3
Opcode Fuzzy Hash: 4618c893d9e4e1af62e1f2e7188193f76db78f1850197ab66424f738116444a7
Instruction Fuzzy Hash: 7DF05531B092689FDB206B746C094EFBFA49EE22847010ABFDA07C2002F5B520198A92

Uniqueness

Uniqueness Score: -1.00%

Function 048F0918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab3407e0f23a3b838bd3d40b3b0b4b67da190bc746a2850b34b950a09dd5a70
Instruction ID: ae1f31b55213b1c2449a251c20691f58fcb8a326b7c05283267f86a9077c8f5f
Opcode Fuzzy Hash: 3ab3407e0f23a3b838bd3d40b3b0b4b67da190bc746a2850b34b950a09dd5a70
Instruction Fuzzy Hash: 82E0E532F2521C9F9B105AF99D005AFBBA9D7C6354F004E27DF07E7242FA7069516292

Uniqueness

Uniqueness Score: -1.00%

Function 048F2D20, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c390bb544f6d336099e3e9bc23534d5be95efd29d9420e7bb3fab23af1c13866
Instruction ID: 4625ad8ed21609068994781c83d10f11c55a44d4b80c6a0b2a4a468f999bfb83
Opcode Fuzzy Hash: c390bb544f6d336099e3e9bc23534d5be95efd29d9420e7bb3fab23af1c13866
Instruction Fuzzy Hash: C2D0A57154F3CC6ED76116305C657943F304726305F151BC7D146C54E3E14659156713

Uniqueness

Uniqueness Score: -1.00%

Function 048F0650, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cda898c3e274931b32d4ae5e36fb8f0e31b3fe75f5e3ea9e56b14ed846dc95a
Instruction ID: 8e0c9cc4175db87b95ab753484c3792ff230b8bd66599cb0b9bdf585ba13eb98
Opcode Fuzzy Hash: 0cda898c3e274931b32d4ae5e36fb8f0e31b3fe75f5e3ea9e56b14ed846dc95a
Instruction Fuzzy Hash: 3FD05E7158F3C88EC74683705C254E97F614D93118B088AABD9829A863D42A6883EA12

Uniqueness

Uniqueness Score: -1.00%

Function 048F016F, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36d98e398ee4dc5bfee4883200d2a06b169742a2e9fba9ca55251abd75326f1f
Instruction ID: fb966f79a749bf96dc46b9740397c671a666ef9c84572c4b610b3986b85687af
Opcode Fuzzy Hash: 36d98e398ee4dc5bfee4883200d2a06b169742a2e9fba9ca55251abd75326f1f
Instruction Fuzzy Hash: 37E05B316077908FCB056B31E85A45C3B72AF5611570447BFD467C7BE1DA3AD486CE01

Uniqueness

Uniqueness Score: -1.00%

Function 006C23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.238548005.00000000006C2000.00000040.00000001.sdmp, Offset: 006C2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21769be0e48144e6eb1c2f4e8e9b415c8339627eb17aca1f1f496811f8664fc9
Instruction ID: 93472586d9dc2ec03d036eef67a9251a8cecbd4f9f07c553c8e33b69676d3605
Opcode Fuzzy Hash: 21769be0e48144e6eb1c2f4e8e9b415c8339627eb17aca1f1f496811f8664fc9
Instruction Fuzzy Hash: FBD05E79215A828FD32A8A1CC1B8FA53BE5EB51B04F4684FDEC008B763C368D9D1D200

Uniqueness

Uniqueness Score: -1.00%

Function 006C23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.238548005.00000000006C2000.00000040.00000001.sdmp, Offset: 006C2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 115481b4c79777e5854e2d344821f8d6853f202c46b9eae316ec4b9399c3bc08
Instruction ID: 57eb1157ee5d6b8015efce192cfe410053e7a010702f04722115615c06343581
Opcode Fuzzy Hash: 115481b4c79777e5854e2d344821f8d6853f202c46b9eae316ec4b9399c3bc08
Instruction Fuzzy Hash: 7CD05E343002828BC715DB0CC5A4FA937D5EB41B00F0644ECAC008B762C3A8DC81C600

Uniqueness

Uniqueness Score: -1.00%

Function 048F0180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75c0ba15f78fe00e20a7c0c2339028d1708a7a01be89d2597839f1a6f99e0a22
Instruction ID: 49eeb599430b2bfde73f926773bd8e2f85efdfdfc735f30e2ea2158d791a3fc3
Opcode Fuzzy Hash: 75c0ba15f78fe00e20a7c0c2339028d1708a7a01be89d2597839f1a6f99e0a22
Instruction Fuzzy Hash: 6BD01230602354CFCB082B70F81982833AABF8920A300187EE8068B764EF37E880CA00

Uniqueness

Uniqueness Score: -1.00%

Function 048F0660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c347500bfbb99b1ebaefd6f0341198050dfb97e74cc7ccc0d04b1007eed96b5
Instruction ID: 76ae9b979b3edfbe701b6d98276f8c7fbc99342b341f45107a978413c1ac69f9
Opcode Fuzzy Hash: 3c347500bfbb99b1ebaefd6f0341198050dfb97e74cc7ccc0d04b1007eed96b5
Instruction Fuzzy Hash: 9BC02B7064A30CCEC30417705C04435730956C230C300CD33860254023BD367451EC26

Uniqueness

Uniqueness Score: -1.00%

Function 048F2EC0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dffd8aea0f310d6d152d274bddd0ea70a718567404a51927d312e035193a26c
Instruction ID: 2ebfe115115006f68553a7e45ae571699acb06daaff0efd1a2ae4f0c63dfc0eb
Opcode Fuzzy Hash: 7dffd8aea0f310d6d152d274bddd0ea70a718567404a51927d312e035193a26c
Instruction Fuzzy Hash: 21B0123060420A1B17405BB12C08A12338C474050539015A1990CC0001F511E0902150

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 048F01A8, Relevance: 5.1, Strings: 4, Instructions: 84COMMON

Download Yara Rule

Strings

hfm, xrefs: 048F01DC
hfm, xrefs: 048F0264
hfm, xrefs: 048F020B
hfm, xrefs: 048F023A

Memory Dump Source

Source File: 00000008.00000002.239253905.00000000048F0000.00000040.00000001.sdmp, Offset: 048F0000, based on PE: false

Similarity

API ID:
String ID: hfm$hfm$hfm$hfm
API String ID: 0-4094374818
Opcode ID: a6624107ff1f7a03a7a593d9348052c1d65475c90f09f350624d938a19368eeb
Instruction ID: e80213e60b5bd82e6a6ff86075a4d809fa32944566d7853b5164d8f47c105796
Opcode Fuzzy Hash: a6624107ff1f7a03a7a593d9348052c1d65475c90f09f350624d938a19368eeb
Instruction Fuzzy Hash: 20212F70B012149FEB108EA8DC80F667BE6EF86744F500469E605DB391EA74EC018B65

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report ws8W4yPAvg.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

Stealing of Sensitive Information:

Remote Access Functionality:

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Operating System Destruction:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports