Play interactive tour

Edit tour

Windows Analysis Report wmaJOYGy7Q

Overview

General Information

Sample Name:	wmaJOYGy7Q (renamed file extension from none to exe)
Analysis ID:	435328
MD5:	5688c69c4379841eee42dcaec2dbf55a
SHA1:	09a30ec730d1fdf77e80f6d31aa4d810e36b1c44
SHA256:	62801897ae3411a8f144f2f7290ad2133ad0895f4f1550922dca9c6f4b9e8114
Tags:	32exetrojan
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Nanocore RAT

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Sigma detected: Suspicious Process Start Without DLL

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

wmaJOYGy7Q.exe (PID: 5344 cmdline: 'C:\Users\user\Desktop\wmaJOYGy7Q.exe' MD5: 5688C69C4379841EEE42DCAEC2DBF55A)

RegAsm.exe (PID: 4764 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)

schtasks.exe (PID: 5812 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8A08.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegAsm.exe (PID: 6140 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe 0 MD5: 6FD7592411112729BF6B1F2F6C34899F)

conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "18773cd6-e296-4327-b004-0088e2e8", "Group": "WEALTH", "Domain1": "185.140.53.154", "Domain2": "wealthybillionaire.ddns.net", "Port": 5540, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.481468397.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.481468397.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.481468397.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000002.263955446.0000000003658000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4347f:$x1: NanoCore.ClientPluginHost 0x7615f:$x1: NanoCore.ClientPluginHost 0xa8e2f:$x1: NanoCore.ClientPluginHost 0x434bc:$x2: IClientNetworkHost 0x7619c:$x2: IClientNetworkHost 0xa8e6c:$x2: IClientNetworkHost 0x46fef:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x79ccf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xac99f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.263955446.0000000003658000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.263955446.0000000003658000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x431e7:$a: NanoCore 0x431f7:$a: NanoCore 0x4342b:$a: NanoCore 0x4343f:$a: NanoCore 0x4347f:$a: NanoCore 0x75ec7:$a: NanoCore 0x75ed7:$a: NanoCore 0x7610b:$a: NanoCore 0x7611f:$a: NanoCore 0x7615f:$a: NanoCore 0xa8b97:$a: NanoCore 0xa8ba7:$a: NanoCore 0xa8ddb:$a: NanoCore 0xa8def:$a: NanoCore 0xa8e2f:$a: NanoCore 0x43246:$b: ClientPlugin 0x43448:$b: ClientPlugin 0x43488:$b: ClientPlugin 0x75f26:$b: ClientPlugin 0x76128:$b: ClientPlugin 0x76168:$b: ClientPlugin
00000001.00000002.263784829.0000000003538000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x31ebd:$x1: NanoCore.ClientPluginHost 0x31efa:$x2: IClientNetworkHost 0x35a2d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.263784829.0000000003538000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.263784829.0000000003538000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x31c25:$a: NanoCore 0x31c35:$a: NanoCore 0x31e69:$a: NanoCore 0x31e7d:$a: NanoCore 0x31ebd:$a: NanoCore 0x31c84:$b: ClientPlugin 0x31e86:$b: ClientPlugin 0x31ec6:$b: ClientPlugin 0x1c776:$c: ProjectData 0x31dab:$c: ProjectData 0x327b2:$d: DESCrypto 0x3a17e:$e: KeepAlive 0x3816c:$g: LogClientMessage 0x34367:$i: get_Connected 0x32ae8:$j: #=q 0x32b18:$j: #=q 0x32b34:$j: #=q 0x32b64:$j: #=q 0x32b80:$j: #=q 0x32b9c:$j: #=q 0x32bcc:$j: #=q
00000005.00000002.490006265.0000000005050000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000005.00000002.490006265.0000000005050000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000005.00000002.490199362.0000000005250000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000005.00000002.490199362.0000000005250000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000005.00000002.490199362.0000000005250000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.486898144.00000000039B9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.486898144.00000000039B9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x35e5:$a: NanoCore 0x363e:$a: NanoCore 0x367b:$a: NanoCore 0x36f4:$a: NanoCore 0x16d9f:$a: NanoCore 0x16db4:$a: NanoCore 0x16de9:$a: NanoCore 0x2fd93:$a: NanoCore 0x2fda8:$a: NanoCore 0x2fddd:$a: NanoCore 0x3647:$b: ClientPlugin 0x3684:$b: ClientPlugin 0x3f82:$b: ClientPlugin 0x3f8f:$b: ClientPlugin 0x16b5b:$b: ClientPlugin 0x16b76:$b: ClientPlugin 0x16ba6:$b: ClientPlugin 0x16dbd:$b: ClientPlugin 0x16df2:$b: ClientPlugin 0x2fb4f:$b: ClientPlugin 0x2fb6a:$b: ClientPlugin
00000001.00000002.264154236.0000000003756000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x107af:$x1: NanoCore.ClientPluginHost 0x4346d:$x1: NanoCore.ClientPluginHost 0x107ec:$x2: IClientNetworkHost 0x434aa:$x2: IClientNetworkHost 0x1431f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46fdd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.264154236.0000000003756000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.264154236.0000000003756000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10517:$a: NanoCore 0x10527:$a: NanoCore 0x1075b:$a: NanoCore 0x1076f:$a: NanoCore 0x107af:$a: NanoCore 0x431d5:$a: NanoCore 0x431e5:$a: NanoCore 0x43419:$a: NanoCore 0x4342d:$a: NanoCore 0x4346d:$a: NanoCore 0x10576:$b: ClientPlugin 0x10778:$b: ClientPlugin 0x107b8:$b: ClientPlugin 0x43234:$b: ClientPlugin 0x43436:$b: ClientPlugin 0x43476:$b: ClientPlugin 0x1069d:$c: ProjectData 0x4335b:$c: ProjectData 0x110a4:$d: DESCrypto 0x43d62:$d: DESCrypto 0x18a70:$e: KeepAlive
00000005.00000002.484995497.0000000002971000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 4764	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x57e84:$x1: NanoCore.ClientPluginHost 0xfd17b:$x1: NanoCore.ClientPluginHost 0x102d3a:$x1: NanoCore.ClientPluginHost 0x114100:$x1: NanoCore.ClientPluginHost 0x1e3859:$x1: NanoCore.ClientPluginHost 0x57ee5:$x2: IClientNetworkHost 0xfd1a1:$x2: IClientNetworkHost 0x102d7f:$x2: IClientNetworkHost 0x114145:$x2: IClientNetworkHost 0x1e387f:$x2: IClientNetworkHost 0x5d2ea:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6b25c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegAsm.exe PID: 4764	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 4764	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x15a17:$a: NanoCore 0x57989:$a: NanoCore 0x579a5:$a: NanoCore 0x57b00:$a: NanoCore 0x57b0f:$a: NanoCore 0x57de8:$a: NanoCore 0x57e14:$a: NanoCore 0x57e84:$a: NanoCore 0x678c6:$a: NanoCore 0x678d8:$a: NanoCore 0x67914:$a: NanoCore 0xfd06d:$a: NanoCore 0xfd10e:$a: NanoCore 0xfd17b:$a: NanoCore 0xfd23c:$a: NanoCore 0xfe10d:$a: NanoCore 0xfe160:$a: NanoCore 0xfe199:$a: NanoCore 0xfe20c:$a: NanoCore 0x102cb4:$a: NanoCore 0x102ce1:$a: NanoCore
Process Memory Space: wmaJOYGy7Q.exe PID: 5344	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd8815:$x1: NanoCore.ClientPluginHost 0xf73e5:$x1: NanoCore.ClientPluginHost 0x115fb5:$x1: NanoCore.ClientPluginHost 0x19d5f4:$x1: NanoCore.ClientPluginHost 0x2e0158:$x1: NanoCore.ClientPluginHost 0x2fed10:$x1: NanoCore.ClientPluginHost 0xd8876:$x2: IClientNetworkHost 0xf7446:$x2: IClientNetworkHost 0x116016:$x2: IClientNetworkHost 0x19d655:$x2: IClientNetworkHost 0x2e01b9:$x2: IClientNetworkHost 0x2fed71:$x2: IClientNetworkHost 0xddc7b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xebbed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xfc84b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x10a7bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x11b41b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x12938d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1a2a5a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1b09cc:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2e55be:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: wmaJOYGy7Q.exe PID: 5344	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: wmaJOYGy7Q.exe PID: 5344	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xd831a:$a: NanoCore 0xd8336:$a: NanoCore 0xd8491:$a: NanoCore 0xd84a0:$a: NanoCore 0xd8779:$a: NanoCore 0xd87a5:$a: NanoCore 0xd8815:$a: NanoCore 0xe8257:$a: NanoCore 0xe8269:$a: NanoCore 0xe82a5:$a: NanoCore 0xf6eea:$a: NanoCore 0xf6f06:$a: NanoCore 0xf7061:$a: NanoCore 0xf7070:$a: NanoCore 0xf7349:$a: NanoCore 0xf7375:$a: NanoCore 0xf73e5:$a: NanoCore 0x106e27:$a: NanoCore 0x106e39:$a: NanoCore 0x106e75:$a: NanoCore 0x115aba:$a: NanoCore
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.RegAsm.exe.39c063c.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287a1:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287ce:$x2: IClientNetworkHost
5.2.RegAsm.exe.39c063c.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287a1:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2987c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287bb:$s5: IClientLoggingHost
5.2.RegAsm.exe.39c063c.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.RegAsm.exe.299caf0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
5.2.RegAsm.exe.299caf0.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
5.2.RegAsm.exe.5250000.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
5.2.RegAsm.exe.5250000.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
5.2.RegAsm.exe.5250000.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.RegAsm.exe.39bb806.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5d7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d604:$x2: IClientNetworkHost
5.2.RegAsm.exe.39bb806.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5d7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6b2:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5f1:$s5: IClientLoggingHost
5.2.RegAsm.exe.39bb806.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.RegAsm.exe.39bb806.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d58d:$a: NanoCore 0x2d5a2:$a: NanoCore 0x2d5d7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d349:$b: ClientPlugin 0x2d364:$b: ClientPlugin
1.2.wmaJOYGy7Q.exe.3756622.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.wmaJOYGy7Q.exe.3756622.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.wmaJOYGy7Q.exe.3756622.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wmaJOYGy7Q.exe.3756622.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
1.2.wmaJOYGy7Q.exe.37892e0.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.wmaJOYGy7Q.exe.37892e0.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.wmaJOYGy7Q.exe.37892e0.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wmaJOYGy7Q.exe.37892e0.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.2.RegAsm.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.RegAsm.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.RegAsm.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.RegAsm.exe.39c4c65.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24178:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241a5:$x2: IClientNetworkHost
5.2.RegAsm.exe.39c4c65.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24178:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x25253:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x24192:$s5: IClientLoggingHost
5.2.RegAsm.exe.39c4c65.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wmaJOYGy7Q.exe.368b2f2.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.wmaJOYGy7Q.exe.368b2f2.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.wmaJOYGy7Q.exe.368b2f2.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wmaJOYGy7Q.exe.368b2f2.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
1.2.wmaJOYGy7Q.exe.36f0ca2.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.wmaJOYGy7Q.exe.36f0ca2.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.wmaJOYGy7Q.exe.36f0ca2.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wmaJOYGy7Q.exe.36f0ca2.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
1.2.wmaJOYGy7Q.exe.36f0ca2.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.wmaJOYGy7Q.exe.36f0ca2.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.2.wmaJOYGy7Q.exe.36f0ca2.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wmaJOYGy7Q.exe.36f0ca2.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.2.wmaJOYGy7Q.exe.37892e0.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.wmaJOYGy7Q.exe.37892e0.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.2.wmaJOYGy7Q.exe.37892e0.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wmaJOYGy7Q.exe.37892e0.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.RegAsm.exe.39c063c.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
5.2.RegAsm.exe.39c063c.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
5.2.RegAsm.exe.39c063c.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wmaJOYGy7Q.exe.3539510.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x309ad:$x1: NanoCore.ClientPluginHost 0x309ea:$x2: IClientNetworkHost 0x3451d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.wmaJOYGy7Q.exe.3539510.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x30725:$x1: NanoCore Client.exe 0x309ad:$x2: NanoCore.ClientPluginHost 0x31fe6:$s1: PluginCommand 0x31fda:$s2: FileCommand 0x32e8b:$s3: PipeExists 0x38c42:$s4: PipeCreated 0x309d7:$s5: IClientLoggingHost
1.2.wmaJOYGy7Q.exe.3539510.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wmaJOYGy7Q.exe.3539510.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x30715:$a: NanoCore 0x30725:$a: NanoCore 0x30959:$a: NanoCore 0x3096d:$a: NanoCore 0x309ad:$a: NanoCore 0x30774:$b: ClientPlugin 0x30976:$b: ClientPlugin 0x309b6:$b: ClientPlugin 0x1b266:$c: ProjectData 0x3089b:$c: ProjectData 0x312a2:$d: DESCrypto 0x38c6e:$e: KeepAlive 0x36c5c:$g: LogClientMessage 0x32e57:$i: get_Connected 0x315d8:$j: #=q 0x31608:$j: #=q 0x31624:$j: #=q 0x31654:$j: #=q 0x31670:$j: #=q 0x3168c:$j: #=q 0x316bc:$j: #=q
5.2.RegAsm.exe.5050000.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
5.2.RegAsm.exe.5050000.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
5.2.RegAsm.exe.5250000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
5.2.RegAsm.exe.5250000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
5.2.RegAsm.exe.5250000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wmaJOYGy7Q.exe.368b2f2.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42e6d:$x1: NanoCore.ClientPluginHost 0x75b3d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42eaa:$x2: IClientNetworkHost 0x75b7a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x469dd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x796ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.wmaJOYGy7Q.exe.368b2f2.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wmaJOYGy7Q.exe.368b2f2.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42bd5:$a: NanoCore 0x42be5:$a: NanoCore 0x42e19:$a: NanoCore 0x42e2d:$a: NanoCore 0x42e6d:$a: NanoCore 0x758a5:$a: NanoCore 0x758b5:$a: NanoCore 0x75ae9:$a: NanoCore 0x75afd:$a: NanoCore 0x75b3d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42c34:$b: ClientPlugin 0x42e36:$b: ClientPlugin 0x42e76:$b: ClientPlugin
5.2.RegAsm.exe.5254629.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
5.2.RegAsm.exe.5254629.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
5.2.RegAsm.exe.5254629.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wmaJOYGy7Q.exe.36bdfd2.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.wmaJOYGy7Q.exe.36bdfd2.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.wmaJOYGy7Q.exe.36bdfd2.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wmaJOYGy7Q.exe.36bdfd2.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
1.2.wmaJOYGy7Q.exe.36bdfd2.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42e5d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42e9a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x469cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.wmaJOYGy7Q.exe.36bdfd2.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42bd5:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42e5d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x44496:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x4448a:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4533b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4b0f2:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42e87:$s5: IClientLoggingHost
1.2.wmaJOYGy7Q.exe.36bdfd2.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wmaJOYGy7Q.exe.36bdfd2.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42bc5:$a: NanoCore 0x42bd5:$a: NanoCore 0x42e09:$a: NanoCore 0x42e1d:$a: NanoCore 0x42e5d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42c24:$b: ClientPlugin 0x42e26:$b: ClientPlugin 0x42e66:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42d4b:$c: ProjectData 0x10a82:$d: DESCrypto 0x43752:$d: DESCrypto 0x1844e:$e: KeepAlive
1.2.wmaJOYGy7Q.exe.3756622.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42e4b:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42e88:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x469bb:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.wmaJOYGy7Q.exe.3756622.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42bc3:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42e4b:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x44484:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x44478:$s2: FileCommand 0x1266b:$s3: PipeExists 0x45329:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4b0e0:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42e75:$s5: IClientLoggingHost
1.2.wmaJOYGy7Q.exe.3756622.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wmaJOYGy7Q.exe.3756622.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42bb3:$a: NanoCore 0x42bc3:$a: NanoCore 0x42df7:$a: NanoCore 0x42e0b:$a: NanoCore 0x42e4b:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42c12:$b: ClientPlugin 0x42e14:$b: ClientPlugin 0x42e54:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42d39:$c: ProjectData 0x10a82:$d: DESCrypto 0x43740:$d: DESCrypto 0x1844e:$e: KeepAlive
Click to see the 68 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 4764, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

System Summary:

Sigma detected: Suspicious Process Start Without DLL

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ParentCommandLine: 'C:\Users\user\Desktop\wmaJOYGy7Q.exe' , ParentImage: C:\Users\user\Desktop\wmaJOYGy7Q.exe, ParentProcessId: 5344, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 4764

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ParentCommandLine: 'C:\Users\user\Desktop\wmaJOYGy7Q.exe' , ParentImage: C:\Users\user\Desktop\wmaJOYGy7Q.exe, ParentProcessId: 5344, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 4764

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000005.00000002.486898144.00000000039B9000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "18773cd6-e296-4327-b004-0088e2e8", "Group": "WEALTH", "Domain1": "185.140.53.154", "Domain2": "wealthybillionaire.ddns.net", "Port": 5540, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for submitted file

Show sources

Source: wmaJOYGy7Q.exe	Virustotal: Detection: 30%			Perma Link
Source: wmaJOYGy7Q.exe	ReversingLabs: Detection: 22%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000005.00000002.481468397.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263955446.0000000003658000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263784829.0000000003538000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.490199362.0000000005250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.486898144.00000000039B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.264154236.0000000003756000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.484995497.0000000002971000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4764, type: MEMORY
Source: Yara match	File source: Process Memory Space: wmaJOYGy7Q.exe PID: 5344, type: MEMORY
Source: Yara match	File source: 5.2.RegAsm.exe.39c063c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.5250000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.39bb806.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.3756622.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.37892e0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.39c4c65.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.368b2f2.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.36f0ca2.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.36f0ca2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.37892e0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.39c063c.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.3539510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.5250000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.368b2f2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.5254629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.36bdfd2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.36bdfd2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.3756622.7.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: wmaJOYGy7Q.exe

Joe Sandbox ML: detected

Source: 5.2.RegAsm.exe.5250000.8.unpack	Avira: Label: TR/NanoCore.fadte
Source: 5.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: wmaJOYGy7Q.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: wmaJOYGy7Q.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: RegAsm.pdb source: RegAsm.exe, RegAsm.exe.1.dr
Source:	Binary string: RegAsm.pdb4 source: wmaJOYGy7Q.exe, 00000001.00000003.245266726.000000000659F000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.481832170.00000000007A2000.00000002.00020000.sdmp, RegAsm.exe, 0000000A.00000000.265143944.00000000000D2000.00000002.00020000.sdmp, RegAsm.exe.1.dr

Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 4x nop then jmp 06252038h	1_2_062517C0
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 4x nop then xor edx, edx	1_2_06257260
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 4x nop then push dword ptr [ebp-24h]	1_2_06257328
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	1_2_06257328
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	1_2_06256808
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	1_2_06257908
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 4x nop then jmp 06252038h	1_2_062517B0
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	1_2_062595BD
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 4x nop then xor edx, edx	1_2_06257257
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 4x nop then xor edx, edx	1_2_0625725F
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 4x nop then push dword ptr [ebp-24h]	1_2_0625731F
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	1_2_0625731F
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 4x nop then push dword ptr [ebp-20h]	1_2_06257008
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	1_2_06257008
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 4x nop then push dword ptr [ebp-20h]	1_2_06256FFC
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	1_2_06256FFC

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49741 -> 185.140.53.154:5540
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49746 -> 185.140.53.154:5540

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: 185.140.53.154
Source: Malware configuration extractor	URLs: wealthybillionaire.ddns.net

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: wealthybillionaire.ddns.net

Source: global traffic

TCP traffic: 192.168.2.3:49741 -> 185.140.53.154:5540

Source: Joe Sandbox View

IP Address: 185.140.53.154 185.140.53.154

Source: Joe Sandbox View

ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG

Source: unknown

DNS traffic detected: queries for: wealthybillionaire.ddns.net

Source: wmaJOYGy7Q.exe, 00000001.00000002.256892969.0000000000A3D000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
Source: wmaJOYGy7Q.exe, 00000001.00000002.256892969.0000000000A3D000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
Source: wmaJOYGy7Q.exe, 00000001.00000002.256892969.0000000000A3D000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: wmaJOYGy7Q.exe, 00000001.00000002.256892969.0000000000A3D000.00000004.00000020.sdmp	String found in binary or memory: http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl0
Source: wmaJOYGy7Q.exe, 00000001.00000003.235556788.00000000068CE000.00000004.00000001.sdmp, wmaJOYGy7Q.exe, 00000001.00000003.255397342.00000000068CE000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado/1
Source: wmaJOYGy7Q.exe, 00000001.00000003.235556788.00000000068CE000.00000004.00000001.sdmp, wmaJOYGy7Q.exe, 00000001.00000003.255397342.00000000068CE000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: wmaJOYGy7Q.exe, 00000001.00000003.255397342.00000000068CE000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g%%_
Source: wmaJOYGy7Q.exe, 00000001.00000002.256892969.0000000000A3D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: wmaJOYGy7Q.exe, 00000001.00000002.256892969.0000000000A3D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: wmaJOYGy7Q.exe, 00000001.00000002.256892969.0000000000A3D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/g
Source: wmaJOYGy7Q.exe, 00000001.00000002.256892969.0000000000A3D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr10)
Source: wmaJOYGy7Q.exe, 00000001.00000002.256892969.0000000000A3D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1c301
Source: wmaJOYGy7Q.exe, 00000001.00000002.256892969.0000000000A3D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gtsr100
Source: wmaJOYGy7Q.exe, 00000001.00000002.256892969.0000000000A3D000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
Source: wmaJOYGy7Q.exe, 00000001.00000002.256892969.0000000000A3D000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
Source: wmaJOYGy7Q.exe, 00000001.00000002.256892969.0000000000A3D000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
Source: wmaJOYGy7Q.exe, 00000001.00000002.257464970.0000000002561000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/WebPage
Source: wmaJOYGy7Q.exe, 00000001.00000002.257403401.0000000002531000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: wmaJOYGy7Q.exe, 00000001.00000002.256892969.0000000000A3D000.00000004.00000020.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: wmaJOYGy7Q.exe, 00000001.00000002.257403401.0000000002531000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: wmaJOYGy7Q.exe, 00000001.00000002.257403401.0000000002531000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/

Source: wmaJOYGy7Q.exe, 00000001.00000002.256664574.0000000000990000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: RegAsm.exe, 00000005.00000002.486898144.00000000039B9000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000005.00000002.481468397.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263955446.0000000003658000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263784829.0000000003538000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.490199362.0000000005250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.486898144.00000000039B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.264154236.0000000003756000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.484995497.0000000002971000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4764, type: MEMORY
Source: Yara match	File source: Process Memory Space: wmaJOYGy7Q.exe PID: 5344, type: MEMORY
Source: Yara match	File source: 5.2.RegAsm.exe.39c063c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.5250000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.39bb806.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.3756622.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.37892e0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.39c4c65.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.368b2f2.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.36f0ca2.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.36f0ca2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.37892e0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.39c063c.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.3539510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.5250000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.368b2f2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.5254629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.36bdfd2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.36bdfd2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.3756622.7.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000005.00000002.481468397.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.481468397.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.263955446.0000000003658000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.263955446.0000000003658000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.263784829.0000000003538000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.263784829.0000000003538000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.490006265.0000000005050000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.490199362.0000000005250000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.486898144.00000000039B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.264154236.0000000003756000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.264154236.0000000003756000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 4764, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 4764, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: wmaJOYGy7Q.exe PID: 5344, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: wmaJOYGy7Q.exe PID: 5344, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.39c063c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.299caf0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.5250000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.39bb806.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.39bb806.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.wmaJOYGy7Q.exe.3756622.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wmaJOYGy7Q.exe.3756622.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.wmaJOYGy7Q.exe.37892e0.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wmaJOYGy7Q.exe.37892e0.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.39c4c65.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wmaJOYGy7Q.exe.368b2f2.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wmaJOYGy7Q.exe.368b2f2.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.wmaJOYGy7Q.exe.36f0ca2.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wmaJOYGy7Q.exe.36f0ca2.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.wmaJOYGy7Q.exe.36f0ca2.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wmaJOYGy7Q.exe.36f0ca2.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.wmaJOYGy7Q.exe.37892e0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wmaJOYGy7Q.exe.37892e0.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.39c063c.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wmaJOYGy7Q.exe.3539510.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wmaJOYGy7Q.exe.3539510.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.5050000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.5250000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wmaJOYGy7Q.exe.368b2f2.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wmaJOYGy7Q.exe.368b2f2.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.5254629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wmaJOYGy7Q.exe.36bdfd2.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wmaJOYGy7Q.exe.36bdfd2.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.wmaJOYGy7Q.exe.36bdfd2.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wmaJOYGy7Q.exe.36bdfd2.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.wmaJOYGy7Q.exe.3756622.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wmaJOYGy7Q.exe.3756622.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

.NET source code contains very large array initializations

Show sources

Source: wmaJOYGy7Q.exe, Qb7p/Kg37.cs	Large array initialization: .cctor: array initializer size 2653
Source: wmaJOYGy7Q.exe, e1L/Bs2.cs	Large array initialization: .cctor: array initializer size 2943
Source: 1.0.wmaJOYGy7Q.exe.190000.0.unpack, Qb7p/Kg37.cs	Large array initialization: .cctor: array initializer size 2653
Source: 1.0.wmaJOYGy7Q.exe.190000.0.unpack, e1L/Bs2.cs	Large array initialization: .cctor: array initializer size 2943
Source: 1.2.wmaJOYGy7Q.exe.190000.0.unpack, e1L/Bs2.cs	Large array initialization: .cctor: array initializer size 2943
Source: 1.2.wmaJOYGy7Q.exe.190000.0.unpack, Qb7p/Kg37.cs	Large array initialization: .cctor: array initializer size 2653

Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 1_2_0247D3C0	1_2_0247D3C0
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 1_2_0247F140	1_2_0247F140
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 1_2_02479F90	1_2_02479F90
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 1_2_02478BC8	1_2_02478BC8
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 1_2_02479808	1_2_02479808
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 1_2_062517C0	1_2_062517C0
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 1_2_06250040	1_2_06250040
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 1_2_06258489	1_2_06258489
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 1_2_06258490	1_2_06258490
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 1_2_06252568	1_2_06252568
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 1_2_06252558	1_2_06252558
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 1_2_0625F24F	1_2_0625F24F
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 1_2_0625F250	1_2_0625F250
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 1_2_06250006	1_2_06250006
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 1_2_06257EE0	1_2_06257EE0
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 1_2_06257ECF	1_2_06257ECF
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 5_2_007A3DFE	5_2_007A3DFE
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 5_2_04E5E480	5_2_04E5E480
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 5_2_04E5E471	5_2_04E5E471
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 5_2_04E5BBD4	5_2_04E5BBD4
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 5_2_04FAF5F8	5_2_04FAF5F8
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 5_2_04FA9788	5_2_04FA9788
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 5_2_04FAA610	5_2_04FAA610
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 5_2_06380040	5_2_06380040
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 10_2_000D3DFE	10_2_000D3DFE

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\RegAsm.exe FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74

Source: wmaJOYGy7Q.exe, 00000001.00000003.245266726.000000000659F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRegAsm.exeT vs wmaJOYGy7Q.exe
Source: wmaJOYGy7Q.exe, 00000001.00000002.256664574.0000000000990000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs wmaJOYGy7Q.exe
Source: wmaJOYGy7Q.exe, 00000001.00000002.255901642.0000000000234000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTest03.exeH vs wmaJOYGy7Q.exe
Source: wmaJOYGy7Q.exe, 00000001.00000002.265944056.0000000005590000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSHCore1.dll0 vs wmaJOYGy7Q.exe
Source: wmaJOYGy7Q.exe, 00000001.00000002.257698522.00000000025E2000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPe6.dll" vs wmaJOYGy7Q.exe
Source: wmaJOYGy7Q.exe, 00000001.00000002.266999737.0000000005FC0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs wmaJOYGy7Q.exe
Source: wmaJOYGy7Q.exe, 00000001.00000002.266076337.00000000055D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs wmaJOYGy7Q.exe
Source: wmaJOYGy7Q.exe	Binary or memory string: OriginalFilenameTest03.exeH vs wmaJOYGy7Q.exe

Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior

Source: wmaJOYGy7Q.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000005.00000002.481468397.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.481468397.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.263955446.0000000003658000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.263955446.0000000003658000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.263784829.0000000003538000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.263784829.0000000003538000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.490006265.0000000005050000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.490006265.0000000005050000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.490199362.0000000005250000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.490199362.0000000005250000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.486898144.00000000039B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.264154236.0000000003756000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.264154236.0000000003756000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegAsm.exe PID: 4764, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegAsm.exe PID: 4764, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: wmaJOYGy7Q.exe PID: 5344, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: wmaJOYGy7Q.exe PID: 5344, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.39c063c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.39c063c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.299caf0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.299caf0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.5250000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.5250000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.39bb806.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.39bb806.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.39bb806.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.wmaJOYGy7Q.exe.3756622.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.wmaJOYGy7Q.exe.3756622.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.wmaJOYGy7Q.exe.3756622.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.wmaJOYGy7Q.exe.37892e0.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.wmaJOYGy7Q.exe.37892e0.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.wmaJOYGy7Q.exe.37892e0.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.39c4c65.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.39c4c65.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.wmaJOYGy7Q.exe.368b2f2.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.wmaJOYGy7Q.exe.368b2f2.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.wmaJOYGy7Q.exe.368b2f2.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.wmaJOYGy7Q.exe.36f0ca2.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.wmaJOYGy7Q.exe.36f0ca2.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.wmaJOYGy7Q.exe.36f0ca2.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.wmaJOYGy7Q.exe.36f0ca2.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.wmaJOYGy7Q.exe.36f0ca2.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.wmaJOYGy7Q.exe.36f0ca2.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.wmaJOYGy7Q.exe.37892e0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.wmaJOYGy7Q.exe.37892e0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.wmaJOYGy7Q.exe.37892e0.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.39c063c.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.39c063c.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.wmaJOYGy7Q.exe.3539510.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.wmaJOYGy7Q.exe.3539510.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.wmaJOYGy7Q.exe.3539510.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.5050000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.5050000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.5250000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.5250000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.wmaJOYGy7Q.exe.368b2f2.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.wmaJOYGy7Q.exe.368b2f2.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.5254629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.5254629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.wmaJOYGy7Q.exe.36bdfd2.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.wmaJOYGy7Q.exe.36bdfd2.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.wmaJOYGy7Q.exe.36bdfd2.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.wmaJOYGy7Q.exe.36bdfd2.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.wmaJOYGy7Q.exe.36bdfd2.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.wmaJOYGy7Q.exe.36bdfd2.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.wmaJOYGy7Q.exe.3756622.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.wmaJOYGy7Q.exe.3756622.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.wmaJOYGy7Q.exe.3756622.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: 5.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/8@3/1

Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wmaJOYGy7Q.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1240:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{18773cd6-e296-4327-b004-0088e2e894f7}

Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe

File created: C:\Users\user\AppData\Local\Temp\RegAsm.exe

Jump to behavior

Source: wmaJOYGy7Q.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: wmaJOYGy7Q.exe	Virustotal: Detection: 30%
Source: wmaJOYGy7Q.exe	ReversingLabs: Detection: 22%

Source: unknown	Process created: C:\Users\user\Desktop\wmaJOYGy7Q.exe 'C:\Users\user\Desktop\wmaJOYGy7Q.exe'
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8A08.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe 0
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8A08.tmp'	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: wmaJOYGy7Q.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: wmaJOYGy7Q.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: RegAsm.pdb source: RegAsm.exe, RegAsm.exe.1.dr
Source:	Binary string: RegAsm.pdb4 source: wmaJOYGy7Q.exe, 00000001.00000003.245266726.000000000659F000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.481832170.00000000007A2000.00000002.00020000.sdmp, RegAsm.exe, 0000000A.00000000.265143944.00000000000D2000.00000002.00020000.sdmp, RegAsm.exe.1.dr

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 5.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 1_2_0019433D push ebx; retf	1_2_0019440B
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 1_2_00194CB9 pushad ; retf	1_2_00194CC0
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 1_2_001930BD push ds; retf	1_2_001931D1
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 1_2_00192FA7 push ds; retf	1_2_001931D1
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 1_2_001943EE push ebx; retf	1_2_0019440B
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Code function: 1_2_0625C75A push 8BF08BFAh; iretd	1_2_0625C75F
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 5_2_007A4469 push cs; retf	5_2_007A449E
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 5_2_007A44A3 push es; retf	5_2_007A44A4
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 5_2_007A4289 push es; retf	5_2_007A4294
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 5_2_04FA69F8 pushad ; retf	5_2_04FA69F9
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 5_2_04FA6A00 push esp; retf	5_2_04FA6A01
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 10_2_000D4289 push es; retf	10_2_000D4294
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 10_2_000D4469 push cs; retf	10_2_000D449E
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 10_2_000D44A3 push es; retf	10_2_000D44A4

Source: wmaJOYGy7Q.exe, Wk7s/Xb3o.cs	High entropy of concatenated method names: '.ctor', 'Pm5i', 'b3FQ', 'q6Z1', 'f8DT', 's6BP', 'La0j', 'Dz12', 'Zt59', 'e2L8'
Source: 1.0.wmaJOYGy7Q.exe.190000.0.unpack, Wk7s/Xb3o.cs	High entropy of concatenated method names: '.ctor', 'Pm5i', 'b3FQ', 'q6Z1', 'f8DT', 's6BP', 'La0j', 'Dz12', 'Zt59', 'e2L8'
Source: 1.2.wmaJOYGy7Q.exe.190000.0.unpack, Wk7s/Xb3o.cs	High entropy of concatenated method names: '.ctor', 'Pm5i', 'b3FQ', 'q6Z1', 'f8DT', 's6BP', 'La0j', 'Dz12', 'Zt59', 'e2L8'
Source: 5.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe

File created: C:\Users\user\AppData\Local\Temp\RegAsm.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8A08.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	File opened: C:\Users\user\Desktop\wmaJOYGy7Q.exe\:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Temp\RegAsm.exe:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Window / User API: threadDelayed 5402	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Window / User API: threadDelayed 4079	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Window / User API: foregroundWindowGot 861	Jump to behavior

Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe TID: 4604	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe TID: 4812	Thread sleep count: 290 > 30	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe TID: 4812	Thread sleep count: 184 > 30	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe TID: 5280	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe TID: 6124	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 5548	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4656	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: wmaJOYGy7Q.exe, 00000001.00000002.256845416.0000000000A1C000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-7
Source: wmaJOYGy7Q.exe, 00000001.00000002.266076337.00000000055D0000.00000002.00000001.sdmp, RegAsm.exe, 00000005.00000002.490919069.0000000006990000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wmaJOYGy7Q.exe, 00000001.00000002.266076337.00000000055D0000.00000002.00000001.sdmp, RegAsm.exe, 00000005.00000002.490919069.0000000006990000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wmaJOYGy7Q.exe, 00000001.00000002.266076337.00000000055D0000.00000002.00000001.sdmp, RegAsm.exe, 00000005.00000002.490919069.0000000006990000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wmaJOYGy7Q.exe, 00000001.00000002.266076337.00000000055D0000.00000002.00000001.sdmp, RegAsm.exe, 00000005.00000002.490919069.0000000006990000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe

Code function: 1_2_0247C460 LdrInitializeThunk,

1_2_0247C460

Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe

Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 89F008	Jump to behavior

Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8A08.tmp'			Jump to behavior

Source: RegAsm.exe, 00000005.00000002.490783177.000000000637D000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 00000005.00000002.484462389.0000000001320000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000005.00000002.484462389.0000000001320000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 00000005.00000002.484462389.0000000001320000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: RegAsm.exe, 00000005.00000002.485546104.0000000002AF2000.00000004.00000001.sdmp	Binary or memory string: Program Manager8H

Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Queries volume information: C:\Users\user\Desktop\wmaJOYGy7Q.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\wmaJOYGy7Q.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000005.00000002.481468397.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263955446.0000000003658000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263784829.0000000003538000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.490199362.0000000005250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.486898144.00000000039B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.264154236.0000000003756000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.484995497.0000000002971000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4764, type: MEMORY
Source: Yara match	File source: Process Memory Space: wmaJOYGy7Q.exe PID: 5344, type: MEMORY
Source: Yara match	File source: 5.2.RegAsm.exe.39c063c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.5250000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.39bb806.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.3756622.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.37892e0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.39c4c65.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.368b2f2.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.36f0ca2.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.36f0ca2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.37892e0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.39c063c.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.3539510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.5250000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.368b2f2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.5254629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.36bdfd2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.36bdfd2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.3756622.7.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: wmaJOYGy7Q.exe, 00000001.00000002.263955446.0000000003658000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000005.00000002.481468397.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000005.00000002.486898144.00000000039B9000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000005.00000002.481468397.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263955446.0000000003658000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.263784829.0000000003538000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.490199362.0000000005250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.486898144.00000000039B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.264154236.0000000003756000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.484995497.0000000002971000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4764, type: MEMORY
Source: Yara match	File source: Process Memory Space: wmaJOYGy7Q.exe PID: 5344, type: MEMORY
Source: Yara match	File source: 5.2.RegAsm.exe.39c063c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.5250000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.39bb806.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.3756622.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.37892e0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.39c4c65.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.368b2f2.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.36f0ca2.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.36f0ca2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.37892e0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.39c063c.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.3539510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.5250000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.368b2f2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.5254629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.36bdfd2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.36bdfd2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wmaJOYGy7Q.exe.3756622.7.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection312	Masquerading1	Input Capture21	Security Software Discovery1	Remote Services	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	DLL Side-Loading1	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	DLL Side-Loading1	Virtualization/Sandbox Evasion21	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection312	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol21	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing11	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	DLL Side-Loading1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
wmaJOYGy7Q.exe	30%	Virustotal		Browse
wmaJOYGy7Q.exe	22%	ReversingLabs	ByteCode-MSIL.Trojan.NanoBot
wmaJOYGy7Q.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\RegAsm.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\RegAsm.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.RegAsm.exe.5250000.8.unpack	100%	Avira	TR/NanoCore.fadte		Download File
5.2.RegAsm.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.pki.goog/gsr1/gsr1.crl0;	0%	Avira URL Cloud	safe
http://ns.adobe.c/g%%_	0%	Avira URL Cloud	safe
http://crl.pki.goog/gtsr1/gtsr1.crl0W	0%	Avira URL Cloud	safe
http://pki.goog/gsr1/gsr1.crt02	0%	Avira URL Cloud	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
185.140.53.154	0%	Avira URL Cloud	safe
wealthybillionaire.ddns.net	0%	Avira URL Cloud	safe
http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl0	0%	Avira URL Cloud	safe
http://ns.ado/1	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe
http://pki.goog/repo/certs/gts1c3.der0	0%	Avira URL Cloud	safe
http://pki.goog/repo/certs/gtsr1.der04	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wealthybillionaire.ddns.net	185.140.53.154	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
185.140.53.154	true	Avira URL Cloud: safe	unknown
wealthybillionaire.ddns.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.pki.goog/gsr1/gsr1.crl0;	wmaJOYGy7Q.exe, 00000001.00000002.256892969.0000000000A3D000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://ns.adobe.c/g%%_	wmaJOYGy7Q.exe, 00000001.00000003.255397342.00000000068CE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pki.goog/gtsr1/gtsr1.crl0W	wmaJOYGy7Q.exe, 00000001.00000002.256892969.0000000000A3D000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://pki.goog/gsr1/gsr1.crt02	wmaJOYGy7Q.exe, 00000001.00000002.256892969.0000000000A3D000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://ns.adobe.c/g	wmaJOYGy7Q.exe, 00000001.00000003.235556788.00000000068CE000.00000004.00000001.sdmp, wmaJOYGy7Q.exe, 00000001.00000003.255397342.00000000068CE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pki.goog/repository/0	wmaJOYGy7Q.exe, 00000001.00000002.256892969.0000000000A3D000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	wmaJOYGy7Q.exe, 00000001.00000002.257403401.0000000002531000.00000004.00000001.sdmp	false		high
http://schema.org/WebPage	wmaJOYGy7Q.exe, 00000001.00000002.257464970.0000000002561000.00000004.00000001.sdmp	false		high
http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl0	wmaJOYGy7Q.exe, 00000001.00000002.256892969.0000000000A3D000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://ns.ado/1	wmaJOYGy7Q.exe, 00000001.00000003.235556788.00000000068CE000.00000004.00000001.sdmp, wmaJOYGy7Q.exe, 00000001.00000003.255397342.00000000068CE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pki.goog/repo/certs/gts1c3.der0	wmaJOYGy7Q.exe, 00000001.00000002.256892969.0000000000A3D000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://pki.goog/repo/certs/gtsr1.der04	wmaJOYGy7Q.exe, 00000001.00000002.256892969.0000000000A3D000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.140.53.154	wealthybillionaire.ddns.net	Sweden		209623	DAVID_CRAIGGG	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	435328
Start date:	16.06.2021
Start time:	12:27:50
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	wmaJOYGy7Q (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/8@3/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 1.8% (good quality ratio 0.9%) Quality average: 25.9% Quality standard deviation: 31.4%
HCA Information:	Successful, ratio: 97% Number of executed functions: 61 Number of non-executed functions: 13
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.43.139.144, 23.211.6.115, 104.42.151.234, 142.250.185.68, 131.253.33.200, 13.107.22.200, 104.43.193.48, 52.255.188.83, 23.211.4.86, 20.49.157.6, 173.222.108.210, 173.222.108.226, 51.103.5.159, 20.54.7.98, 20.54.104.15, 20.54.26.129, 80.67.82.235, 80.67.82.211, 20.82.210.154 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, www.google.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:29:04	API Interceptor	1x Sleep call for process: wmaJOYGy7Q.exe modified
12:29:06	API Interceptor	887x Sleep call for process: RegAsm.exe modified
12:29:08	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\AppData\Local\Temp\RegAsm.exe" s>$(Arg0)

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.140.53.154	Updated Order COA.doc	Get hash	malicious	Browse
	Maersk BL & PL.exe	Get hash	malicious	Browse
	Quotation.exe	Get hash	malicious	Browse
	SWIFT.exe	Get hash	malicious	Browse
	Qotation.exe	Get hash	malicious	Browse
	SMJshb9rCD.exe	Get hash	malicious	Browse
	3z4ibRIdCl.exe	Get hash	malicious	Browse
	UfQ7WpbVPG.exe	Get hash	malicious	Browse
	9ieQE1S5ZH.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
wealthybillionaire.ddns.net	Updated Order COA.doc	Get hash	malicious	Browse	185.140.53.154
	Revise Order Sheets.doc	Get hash	malicious	Browse	79.134.225.52
	TT SWIFT COPY.exe	Get hash	malicious	Browse	41.217.65.85
	bedrapes.exe	Get hash	malicious	Browse	154.118.68.3

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DAVID_CRAIGGG	Updated Order COA.doc	Get hash	malicious	Browse	185.140.53.154
	Payment confirmation.exe	Get hash	malicious	Browse	185.140.53.45
	03soKqWLfN.exe	Get hash	malicious	Browse	185.140.53.145
	installer.exe	Get hash	malicious	Browse	185.140.53.145
	Maersk BL & PL.exe	Get hash	malicious	Browse	185.140.53.154
	vmw7WdkJ6k.exe	Get hash	malicious	Browse	185.140.53.12
	ORDER.exe	Get hash	malicious	Browse	185.140.53.135
	ORDER-21611docx.exe	Get hash	malicious	Browse	185.165.153.116
	6VYNUalwUt.exe	Get hash	malicious	Browse	185.244.30.92
	ORDER-6010.pdf.exe	Get hash	malicious	Browse	185.244.30.92
	CONTRACT.exe	Get hash	malicious	Browse	185.140.53.135
	doc03027320210521173305IMG0012.exe	Get hash	malicious	Browse	185.140.53.230
	yfilQwrYpA.exe	Get hash	malicious	Browse	185.140.53.216
	Ff6m4N8pog.exe	Get hash	malicious	Browse	185.140.53.216
	yCdBrRiAN2.exe	Get hash	malicious	Browse	185.140.53.216
	loKHQzx6Lf.exe	Get hash	malicious	Browse	185.140.53.216
	SecuriteInfo.com.Program.Win32.Wacapew.Cml.7225.exe	Get hash	malicious	Browse	185.140.53.129
	Shipping Documents_Bill of Lading 910571880.exe	Get hash	malicious	Browse	185.140.53.129
	knqh5Hw6gu.exe	Get hash	malicious	Browse	185.140.53.13
	Container_Deposit_slip_pdf.jar	Get hash	malicious	Browse	185.244.30.47

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\RegAsm.exe	Trainer v22.3.exe	Get hash	malicious	Browse
	Trainer v 4.6.1.exe	Get hash	malicious	Browse
	PO 389293LC_pdf.exe	Get hash	malicious	Browse
	qPyjO8F0ND.exe	Get hash	malicious	Browse
	PAYMENT-PO#987654567.exe	Get hash	malicious	Browse
	n3sQ7uTU8v.exe	Get hash	malicious	Browse
	20014464370.PDF.exe	Get hash	malicious	Browse
	aXgdOUvL9L.exe	Get hash	malicious	Browse
	DHL#DOCUMENTS001010.PDF.exe	Get hash	malicious	Browse
	kyIfnzzg3E.exe	Get hash	malicious	Browse
	flyZab7hHk.exe	Get hash	malicious	Browse
	AedJpyQ9lM.exe	Get hash	malicious	Browse
	UPDATED SOA.exe	Get hash	malicious	Browse
	qdFDmi3Bhy.exe	Get hash	malicious	Browse
	RFQ27559404D4E5A.PDF.exe	Get hash	malicious	Browse
	Receiptn.exe	Get hash	malicious	Browse
	PURCHASE LIST.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PackedNET.783.10804.exe	Get hash	malicious	Browse
	Y6k2VgaGck.exe	Get hash	malicious	Browse
	Bank swift.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log Download File
Process:	C:\Users\user\AppData\Local\Temp\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wmaJOYGy7Q.exe.log Download File
Process:	C:\Users\user\Desktop\wmaJOYGy7Q.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1402
Entropy (8bit):	5.338819835253785
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4bE4K5AE4Kzr7K84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoesX3:MIHK5HKXE1qHbHK5AHKzvKviYHKhQnoe
MD5:	F2152F0304453BCFB93E6D4F93C3F0DC
SHA1:	DD69A4D7F9F9C8D97F1DF535BA3949E9325B5A2F
SHA-256:	5A4D59CD30A1AF620B87602BC23A3F1EFEF792884053DAE6A89D1AC9AAD4A411
SHA-512:	02402D9EAA2DF813F83A265C31D00048F84AD18AE23935B428062A9E09B173B13E93A3CACC6547277DA6F937BBC413B839620BA600144739DA37086E03DD8B4F
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Co

C:\Users\user\AppData\Local\Temp\RegAsm.exe Download File
Process:	C:\Users\user\Desktop\wmaJOYGy7Q.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64616
Entropy (8bit):	6.037264560032456
Encrypted:	false
SSDEEP:	768:J8XcJiMjm2ieHlPyCsSuJbn8dBhFVBSMQ6Iq8TSYDKpgLaDViRLNdr:9YMaNylPYSAb8dBnTHv8DKKaDVkX
MD5:	6FD7592411112729BF6B1F2F6C34899F
SHA1:	5E5C839726D6A43C478AB0B95DBF52136679F5EA
SHA-256:	FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
SHA-512:	21EFCC9DEE3960F1A64C6D8A44871742558666BB792D77ACE91236C7DBF42A6CA77086918F363C4391D9C00904C55A952E2C18BE5FA1A67A509827BFC630070D
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Trainer v22.3.exe, Detection: malicious, Browse Filename: Trainer v 4.6.1.exe, Detection: malicious, Browse Filename: PO 389293LC_pdf.exe, Detection: malicious, Browse Filename: qPyjO8F0ND.exe, Detection: malicious, Browse Filename: PAYMENT-PO#987654567.exe, Detection: malicious, Browse Filename: n3sQ7uTU8v.exe, Detection: malicious, Browse Filename: 20014464370.PDF.exe, Detection: malicious, Browse Filename: aXgdOUvL9L.exe, Detection: malicious, Browse Filename: DHL#DOCUMENTS001010.PDF.exe, Detection: malicious, Browse Filename: kyIfnzzg3E.exe, Detection: malicious, Browse Filename: flyZab7hHk.exe, Detection: malicious, Browse Filename: AedJpyQ9lM.exe, Detection: malicious, Browse Filename: UPDATED SOA.exe, Detection: malicious, Browse Filename: qdFDmi3Bhy.exe, Detection: malicious, Browse Filename: RFQ27559404D4E5A.PDF.exe, Detection: malicious, Browse Filename: Receiptn.exe, Detection: malicious, Browse Filename: PURCHASE LIST.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.PackedNET.783.10804.exe, Detection: malicious, Browse Filename: Y6k2VgaGck.exe, Detection: malicious, Browse Filename: Bank swift.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...xX.Z..............0.............^.... ........@.. ....................... ............`.....................................O.......8...............h>........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P.....0.."........(......-.r...p.rI..p(....s....z....0..........(....~P.....o........(....n(.....(..........%...(....~(.....(..........%...%...(.....(.....(..........%...%...%...(....V.(......}Q.....}R.....{Q.....{R......0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

C:\Users\user\AppData\Local\Temp\tmp8A08.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\RegAsm.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1307
Entropy (8bit):	5.1055546710401485
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0aa5xtn:cbk4oL600QydbQxIYODOLedq3Ba5j
MD5:	E1762CDA6D6A3715B829E81B77FF06F7
SHA1:	B9F6318A5E4CDB1462E45A0B08EE46D303C40715
SHA-256:	48A86564D25864484ABE34BAA5B71890B8AF30ADE8AC1CF14BBACAE28036F09F
SHA-512:	DC6218645DBE168DCB8DE01124694FF26ED033E7A5CE066FAA1D00817F2E51D167938B4FF4231F514F60895EF0FFE95880D401358C69E49126A219CBF7D3E705
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	192
Entropy (8bit):	6.888016992762183
Encrypted:	false
SSDEEP:	3:XrURGizD7cnRNGbgCFKRN/T8OpnPJS0zm+MW7OMVCUtOGouheflY838Ps:X4LDAnybgCFgwOpxS0T6MVXt7oVlYO80
MD5:	428943A5826E86C05E99C546AC9047A5
SHA1:	CA9F6226703DC0C08BA90B2D1AE600D65BC326B6
SHA-256:	9035E4EF869AAB276D3D53778202765133E9729234DA209C8F3EDFD1725ADDA9
SHA-512:	0A0EB940311463F56BF6ECD36D5ECC0FEC8838F7BFB71064600722B7AE656B92F46815DE5A5CF0B72072F7F5199B02BBE8BA562E4E98255BCF8F55331FE708DB
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S...X..:..............i...v.o{3.O....t.aQ.N.S..r.1w..akdp....._.H.;%g..7.N..R3$....jY....h.c..n.Q,.Y.W.].`..v....6.WI.l

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:9Qt:94
MD5:	EF699DB7839567D50C2DB9B9C2976141
SHA1:	163B8148EC1ABD31E6636DF6292F9359D63BF6EF
SHA-256:	6C45578026299778E2A8AA035587BF27ED6D59116FB0055848560E423691DF4D
SHA-512:	9B9D2AEE24DA97AB70AAA725A332B4CF4B656CEB41F1E84E13296C3080D090B4E38EBD1340E3B2DF10D447A0786BF2F4B03E5D4DD8828D84E64E3F7E9F9AEDDB
Malicious:	true
Preview:	1.c..0.H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\RegAsm.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	44
Entropy (8bit):	4.308768198567054
Encrypted:	false
SSDEEP:	3:oNWXp5cViE2J5xAI0L4A:oNWXp+N23f0L4A
MD5:	C9298EEE68389B937EFD1A5CE3DB10A2
SHA1:	2D299BA869C5386FB114AA6016DCB0607DFE98E0
SHA-256:	270C3AC669C532CE18737BFD72CB2981B65A6F08FF2B7EB5C9A4D8834AEB4E62
SHA-512:	1EF5C4AC44E1658DC8EA56F98B2714297D39937B9817E4F843D067F59D2778EC3D65E34DD467442F8B7D86248813E834D47A71D79EC3CE2D8E54B8A41BF19FDE
Malicious:	false
Preview:	C:\Users\user\AppData\Local\Temp\RegAsm.exe

\Device\ConDrv Download File
Process:	C:\Users\user\AppData\Local\Temp\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	275
Entropy (8bit):	4.839531074781769
Encrypted:	false
SSDEEP:	6:z30qJ5tUI+30qobtUmYRZBXVNYL0dxKaRFfnYJin:z30mc30b4BFNY4xNYU
MD5:	1B648D405C15ECA8CF1B9B0469B5627E
SHA1:	C6BBAEDE7AE2353E15271F1FBAA18588BEF0E922
SHA-256:	52FF7329D9E47BF7366892E79338FEE702C60D1F3ADB2EDDB601DFAEC8F170A0
SHA-512:	086EC3F608C80CDB6DC844366CFBBA5237ABCEB5306C0EF7C91600003F1A169CD94EB07D3680E943C9AC498CBA3845857756C5D745A66999BE78C263E5C4405F
Malicious:	false
Preview:	Microsoft .NET Framework Assembly Registration Utility version 4.7.3056.0..for Microsoft .NET Framework version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....RegAsm : error RA0000 : Unable to locate input assembly '0' or one of its dependencies...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.648738100237886
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	wmaJOYGy7Q.exe
File size:	659456
MD5:	5688c69c4379841eee42dcaec2dbf55a
SHA1:	09a30ec730d1fdf77e80f6d31aa4d810e36b1c44
SHA256:	62801897ae3411a8f144f2f7290ad2133ad0895f4f1550922dca9c6f4b9e8114
SHA512:	1cee75d6ffdc9a1e9e903672c83a7e042e9a6a34d42b156bd11a6ed215a82fe336e86158892a6ee129239f52f22ccfe19062d8668c6b9be5027775bd19424174
SSDEEP:	6144:ie7tkcyarn5KfNZCM2RG+zcwxOVbcEkXd5+d/T7xvoldaoAxKiYe1SvA5UamZ6vh:XFn5W8M4GSYbcb/+V7B+AcigemZ6Xd
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....37B............................~'... ...@....@.. ....................................`................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4a277e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x4237339B [Tue Mar 15 19:12:27 2005 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa2724	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa4000	0x394	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa0784	0xa0800	False	0.623986930491	data	6.65837482247	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xa4000	0x394	0x400	False	0.375	data	2.92347158321	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa6000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xa4058	0x33c	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2019
Assembly Version	1.0.0.0
InternalName	Test03.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	WindowsApplication8
ProductVersion	1.0.0.0
FileDescription	WindowsApplication8
OriginalFilename	Test03.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/16/21-12:29:07.971503	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49741	5540	192.168.2.3	185.140.53.154
06/16/21-12:29:14.548582	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49746	5540	192.168.2.3	185.140.53.154

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 16, 2021 12:29:07.490700006 CEST	49741	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:07.922261000 CEST	5540	49741	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:07.922348976 CEST	49741	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:07.971503019 CEST	49741	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:08.922668934 CEST	5540	49741	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:08.924315929 CEST	49741	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:08.924391031 CEST	49741	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:09.562900066 CEST	5540	49741	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:09.562977076 CEST	49741	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:09.972620010 CEST	49741	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:10.681991100 CEST	5540	49741	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:10.682112932 CEST	49741	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:12.552644014 CEST	5540	49741	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:12.552761078 CEST	49741	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:13.537822008 CEST	5540	49741	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:13.537962914 CEST	49741	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:14.028127909 CEST	49746	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:14.547677994 CEST	5540	49746	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:14.547768116 CEST	49746	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:14.548582077 CEST	49746	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:15.612443924 CEST	49746	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:15.657630920 CEST	5540	49746	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:15.657823086 CEST	49746	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:15.852309942 CEST	5540	49746	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:15.852525949 CEST	49746	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:15.963130951 CEST	5540	49746	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:16.077769041 CEST	5540	49746	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:16.077938080 CEST	49746	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:16.342114925 CEST	5540	49746	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:16.342235088 CEST	49746	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:16.647393942 CEST	5540	49746	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:16.777666092 CEST	5540	49746	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:16.812766075 CEST	5540	49746	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:16.812879086 CEST	49746	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:16.847641945 CEST	5540	49746	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:16.887547016 CEST	5540	49746	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:16.887697935 CEST	49746	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:16.932410002 CEST	5540	49746	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:16.974426985 CEST	49746	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:17.012948036 CEST	5540	49746	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:17.013024092 CEST	49746	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:17.046375990 CEST	5540	49746	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:17.046443939 CEST	49746	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:17.072834015 CEST	5540	49746	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:17.072906017 CEST	49746	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:17.123218060 CEST	5540	49746	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:17.123295069 CEST	49746	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:17.232800961 CEST	5540	49746	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:17.232886076 CEST	49746	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:17.498099089 CEST	5540	49746	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:17.499242067 CEST	49746	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:17.547550917 CEST	5540	49746	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:17.547872066 CEST	49746	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:17.562417030 CEST	5540	49746	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:17.563321114 CEST	49746	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:17.597722054 CEST	5540	49746	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:17.598424911 CEST	49746	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:17.643079996 CEST	5540	49746	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:17.643176079 CEST	49746	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:17.677794933 CEST	5540	49746	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:17.677952051 CEST	49746	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:17.702750921 CEST	5540	49746	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:17.702830076 CEST	49746	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:17.772835970 CEST	5540	49746	185.140.53.154	192.168.2.3
Jun 16, 2021 12:29:17.775041103 CEST	49746	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:21.036312103 CEST	49747	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:24.125603914 CEST	49747	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:30.238332033 CEST	49747	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:39.490036964 CEST	49751	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:42.511729956 CEST	49751	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:48.512250900 CEST	49751	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:29:57.397264004 CEST	49761	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:30:00.419893980 CEST	49761	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:30:06.435575962 CEST	49761	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:30:14.044517040 CEST	49768	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:30:17.124208927 CEST	49768	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:30:23.140103102 CEST	49768	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:30:30.723155022 CEST	49769	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:30:33.734788895 CEST	49769	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:30:39.750849009 CEST	49769	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:30:47.268673897 CEST	49771	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:30:50.283010960 CEST	49771	5540	192.168.2.3	185.140.53.154
Jun 16, 2021 12:30:56.299109936 CEST	49771	5540	192.168.2.3	185.140.53.154

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 16, 2021 12:28:37.702236891 CEST	60831	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:28:37.761013031 CEST	53	60831	8.8.8.8	192.168.2.3
Jun 16, 2021 12:28:38.603627920 CEST	60100	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:28:38.657705069 CEST	53	60100	8.8.8.8	192.168.2.3
Jun 16, 2021 12:28:39.220787048 CEST	53195	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:28:39.281111956 CEST	53	53195	8.8.8.8	192.168.2.3
Jun 16, 2021 12:28:39.583065987 CEST	50141	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:28:39.642147064 CEST	53	50141	8.8.8.8	192.168.2.3
Jun 16, 2021 12:28:40.628341913 CEST	53023	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:28:40.680713892 CEST	53	53023	8.8.8.8	192.168.2.3
Jun 16, 2021 12:28:42.073586941 CEST	49563	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:28:42.125921011 CEST	53	49563	8.8.8.8	192.168.2.3
Jun 16, 2021 12:28:43.508949995 CEST	51352	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:28:43.565169096 CEST	53	51352	8.8.8.8	192.168.2.3
Jun 16, 2021 12:28:44.690946102 CEST	59349	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:28:44.747298002 CEST	53	59349	8.8.8.8	192.168.2.3
Jun 16, 2021 12:28:45.758795023 CEST	57084	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:28:45.809024096 CEST	53	57084	8.8.8.8	192.168.2.3
Jun 16, 2021 12:28:46.974965096 CEST	58823	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:28:47.025391102 CEST	53	58823	8.8.8.8	192.168.2.3
Jun 16, 2021 12:28:47.177194118 CEST	57568	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:28:47.236038923 CEST	53	57568	8.8.8.8	192.168.2.3
Jun 16, 2021 12:28:47.660229921 CEST	50540	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:28:47.728024960 CEST	53	50540	8.8.8.8	192.168.2.3
Jun 16, 2021 12:28:47.759387016 CEST	54366	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:28:47.818418980 CEST	53	54366	8.8.8.8	192.168.2.3
Jun 16, 2021 12:28:47.919389963 CEST	53034	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:28:47.972465038 CEST	53	53034	8.8.8.8	192.168.2.3
Jun 16, 2021 12:28:48.921283007 CEST	57762	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:28:48.973042965 CEST	53	57762	8.8.8.8	192.168.2.3
Jun 16, 2021 12:28:50.215818882 CEST	55435	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:28:50.268131971 CEST	53	55435	8.8.8.8	192.168.2.3
Jun 16, 2021 12:28:51.656266928 CEST	50713	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:28:51.706892014 CEST	53	50713	8.8.8.8	192.168.2.3
Jun 16, 2021 12:28:52.590209007 CEST	56132	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:28:52.641028881 CEST	53	56132	8.8.8.8	192.168.2.3
Jun 16, 2021 12:28:56.477844954 CEST	58987	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:28:56.531141996 CEST	53	58987	8.8.8.8	192.168.2.3
Jun 16, 2021 12:28:57.648330927 CEST	56579	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:28:57.704926968 CEST	53	56579	8.8.8.8	192.168.2.3
Jun 16, 2021 12:28:58.606684923 CEST	60633	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:28:58.657126904 CEST	53	60633	8.8.8.8	192.168.2.3
Jun 16, 2021 12:29:00.720169067 CEST	61292	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:29:00.771167994 CEST	53	61292	8.8.8.8	192.168.2.3
Jun 16, 2021 12:29:08.316199064 CEST	63619	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:29:08.379998922 CEST	53	63619	8.8.8.8	192.168.2.3
Jun 16, 2021 12:29:13.798719883 CEST	64938	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:29:13.863845110 CEST	53	64938	8.8.8.8	192.168.2.3
Jun 16, 2021 12:29:32.973237991 CEST	61946	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:29:33.032516003 CEST	53	61946	8.8.8.8	192.168.2.3
Jun 16, 2021 12:29:33.131079912 CEST	64910	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:29:33.192934990 CEST	53	64910	8.8.8.8	192.168.2.3
Jun 16, 2021 12:29:33.388823032 CEST	52123	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:29:33.466826916 CEST	53	52123	8.8.8.8	192.168.2.3
Jun 16, 2021 12:29:52.043622017 CEST	56130	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:29:52.188194990 CEST	53	56130	8.8.8.8	192.168.2.3
Jun 16, 2021 12:29:52.855257034 CEST	56338	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:29:52.914469004 CEST	53	56338	8.8.8.8	192.168.2.3
Jun 16, 2021 12:29:53.511935949 CEST	59420	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:29:53.569434881 CEST	53	59420	8.8.8.8	192.168.2.3
Jun 16, 2021 12:29:54.099560022 CEST	58784	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:29:54.169015884 CEST	53	58784	8.8.8.8	192.168.2.3
Jun 16, 2021 12:29:54.840084076 CEST	63978	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:29:54.991950035 CEST	53	63978	8.8.8.8	192.168.2.3
Jun 16, 2021 12:29:55.585366964 CEST	62938	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:29:55.648554087 CEST	53	62938	8.8.8.8	192.168.2.3
Jun 16, 2021 12:29:55.964256048 CEST	55708	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:29:56.039813042 CEST	53	55708	8.8.8.8	192.168.2.3
Jun 16, 2021 12:29:56.141788960 CEST	56803	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:29:56.202188015 CEST	53	56803	8.8.8.8	192.168.2.3
Jun 16, 2021 12:29:57.081562042 CEST	57145	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:29:57.131973028 CEST	53	57145	8.8.8.8	192.168.2.3
Jun 16, 2021 12:29:57.334021091 CEST	55359	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:29:57.394704103 CEST	53	55359	8.8.8.8	192.168.2.3
Jun 16, 2021 12:29:58.004036903 CEST	58306	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:29:58.054419041 CEST	53	58306	8.8.8.8	192.168.2.3
Jun 16, 2021 12:29:59.171530008 CEST	64124	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:29:59.230262041 CEST	53	64124	8.8.8.8	192.168.2.3
Jun 16, 2021 12:29:59.662997961 CEST	49361	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:29:59.723294973 CEST	53	49361	8.8.8.8	192.168.2.3
Jun 16, 2021 12:30:13.983805895 CEST	63150	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:30:14.042826891 CEST	53	63150	8.8.8.8	192.168.2.3
Jun 16, 2021 12:30:30.657831907 CEST	53279	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:30:30.721060991 CEST	53	53279	8.8.8.8	192.168.2.3
Jun 16, 2021 12:30:37.877840042 CEST	56881	53	192.168.2.3	8.8.8.8
Jun 16, 2021 12:30:37.957078934 CEST	53	56881	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 16, 2021 12:29:57.334021091 CEST	192.168.2.3	8.8.8.8	0x7918	Standard query (0)	wealthybillionaire.ddns.net	A (IP address)	IN (0x0001)
Jun 16, 2021 12:30:13.983805895 CEST	192.168.2.3	8.8.8.8	0xd459	Standard query (0)	wealthybillionaire.ddns.net	A (IP address)	IN (0x0001)
Jun 16, 2021 12:30:30.657831907 CEST	192.168.2.3	8.8.8.8	0x6d05	Standard query (0)	wealthybillionaire.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jun 16, 2021 12:29:57.394704103 CEST	8.8.8.8	192.168.2.3	0x7918	No error (0)	wealthybillionaire.ddns.net	185.140.53.154	A (IP address)	IN (0x0001)
Jun 16, 2021 12:30:14.042826891 CEST	8.8.8.8	192.168.2.3	0xd459	No error (0)	wealthybillionaire.ddns.net	185.140.53.154	A (IP address)	IN (0x0001)
Jun 16, 2021 12:30:30.721060991 CEST	8.8.8.8	192.168.2.3	0x6d05	No error (0)	wealthybillionaire.ddns.net	185.140.53.154	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wmaJOYGy7Q.exe PID: 5344 Parent PID: 5792

General

Start time:	12:28:45
Start date:	16/06/2021
Path:	C:\Users\user\Desktop\wmaJOYGy7Q.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\wmaJOYGy7Q.exe'
Imagebase:	0x190000
File size:	659456 bytes
MD5 hash:	5688C69C4379841EEE42DCAEC2DBF55A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.263955446.0000000003658000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.263955446.0000000003658000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.263955446.0000000003658000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.263784829.0000000003538000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.263784829.0000000003538000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.263784829.0000000003538000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.264154236.0000000003756000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.264154236.0000000003756000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.264154236.0000000003756000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 4764 Parent PID: 5344

General

Start time:	12:28:59
Start date:	16/06/2021
Path:	C:\Users\user\AppData\Local\Temp\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\RegAsm.exe
Imagebase:	0x7a0000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.481468397.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.481468397.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.481468397.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.490006265.0000000005050000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.490006265.0000000005050000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.490199362.0000000005250000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.490199362.0000000005250000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.490199362.0000000005250000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.486898144.00000000039B9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.486898144.00000000039B9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.484995497.0000000002971000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 5812 Parent PID: 4764

General

Start time:	12:29:06
Start date:	16/06/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8A08.tmp'
Imagebase:	0x1210000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1240 Parent PID: 5812

General

Start time:	12:29:06
Start date:	16/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegAsm.exe PID: 6140 Parent PID: 528

General

Start time:	12:29:08
Start date:	16/06/2021
Path:	C:\Users\user\AppData\Local\Temp\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\RegAsm.exe 0
Imagebase:	0xd0000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6048 Parent PID: 6140

General

Start time:	12:29:08
Start date:	16/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: wmaJOYGy7Q.exe PID: 5344 Parent PID: 5792 wmaJOYGy7Q.exeCOMMON

Executed Functions

Function 0247C460, Relevance: 1.8, APIs: 1, Instructions: 279libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0247C75A

Memory Dump Source

Source File: 00000001.00000002.257079063.0000000002470000.00000040.00000001.sdmp, Offset: 02470000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e0aac9486bc021b1a48abae12d0d08625f8d467d1def9c78ae9809058fc64bb4
Instruction ID: de23050c9593aa2e9f364aeee94820fa79b02a4078e858d8f053a619d66eaf24
Opcode Fuzzy Hash: e0aac9486bc021b1a48abae12d0d08625f8d467d1def9c78ae9809058fc64bb4
Instruction Fuzzy Hash: 34A16930A041149BDB14DBA8D9D5BEDB7B6EB89304F15842BE526EB390CB34DC86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 062517B0, Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.267358172.0000000006250000.00000040.00000001.sdmp, Offset: 06250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d9a61b589e9d564aff8d5281305f6eafc7feeee14fc927bddeca17d2875f54
Instruction ID: 54e93bf20b2d3b088cfdb0c59ad17415cee8b358f0186f3225a7b7b71766b643
Opcode Fuzzy Hash: 77d9a61b589e9d564aff8d5281305f6eafc7feeee14fc927bddeca17d2875f54
Instruction Fuzzy Hash: 7D321A74D01228CFDB65DF64D844BADBBB2FB49305F1084A9E80AA7791DB359E86CF10

Uniqueness

Uniqueness Score: -1.00%

Function 062517C0, Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.267358172.0000000006250000.00000040.00000001.sdmp, Offset: 06250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78fa3d15da517dadd4f0ab1183b6f6f8ea05fe6555313ea097e9336cd91bf186
Instruction ID: d1e102dad3206253c4a0dc269e2f7ecb8316109b9aa8e43447b616492279e804
Opcode Fuzzy Hash: 78fa3d15da517dadd4f0ab1183b6f6f8ea05fe6555313ea097e9336cd91bf186
Instruction Fuzzy Hash: 0B320A74D01228CFDB65DF64D844BADBBB2FB49305F1084A9E80AA7391DB359E86DF10

Uniqueness

Uniqueness Score: -1.00%

Function 06250040, Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.267358172.0000000006250000.00000040.00000001.sdmp, Offset: 06250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8db47857cb11ad896fb74655ab3d35018ec2fbed942368db53f2aed0d9001ed0
Instruction ID: af7dfc7ec6ce583730449218654108427295a73b43e7c7f8430a12ea24372ed1
Opcode Fuzzy Hash: 8db47857cb11ad896fb74655ab3d35018ec2fbed942368db53f2aed0d9001ed0
Instruction Fuzzy Hash: 9E22DF75A00218DFDB65CFA9C944F98BBB2FF49304F0580E9E909AB262CB319D95DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0247D3C0, Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.257079063.0000000002470000.00000040.00000001.sdmp, Offset: 02470000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b30238e74949d50648672a3e065bbd22ac3f20b541cc0069e1641fb29bd764dd
Instruction ID: d105e909b09f3a7100a6a48a641463bc27958fcb55e94093bd2ea5c486ade187
Opcode Fuzzy Hash: b30238e74949d50648672a3e065bbd22ac3f20b541cc0069e1641fb29bd764dd
Instruction Fuzzy Hash: 34B1D734F24A11CFDB241B3589467BB72A6AFC0A55F19482FD4ABC67A4CF34C886C752

Uniqueness

Uniqueness Score: -1.00%

Function 06257908, Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.267358172.0000000006250000.00000040.00000001.sdmp, Offset: 06250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd069521866ad8291ac5f52f2e9012ed874d6ac216bcca99e814b43788a905f0
Instruction ID: ccc81f4a0dad0832e81b68de9b04f2a0261810717804b7da9555317d4d090896
Opcode Fuzzy Hash: bd069521866ad8291ac5f52f2e9012ed874d6ac216bcca99e814b43788a905f0
Instruction Fuzzy Hash: 78B16A70E00249DFCB64DFA9C444A9EBBF1FF89304F258529E919AB350DB309985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0247F140, Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.257079063.0000000002470000.00000040.00000001.sdmp, Offset: 02470000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07fc1e6afd467774a4f11dc771ac9b358ac45b2b2e098a7d596c90b99335aa30
Instruction ID: 0a57968f2a7bdfe23c06e6755a1250c7942ea27cdaac3e0646776c4686f76916
Opcode Fuzzy Hash: 07fc1e6afd467774a4f11dc771ac9b358ac45b2b2e098a7d596c90b99335aa30
Instruction Fuzzy Hash: 4691F5356081908FC7168B68D8543EABBB5EF86304F1641BBD4A6CBE52C7358D8BC792

Uniqueness

Uniqueness Score: -1.00%

Function 02479F90, Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.257079063.0000000002470000.00000040.00000001.sdmp, Offset: 02470000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9069f09fc403deda44a32a8ceeb25af603cd1054c1465c6813292af861cc098a
Instruction ID: 546e2de50bea1cb8a9507ee70b14130df1f79e6e9ddebe5a280907d8eea314b5
Opcode Fuzzy Hash: 9069f09fc403deda44a32a8ceeb25af603cd1054c1465c6813292af861cc098a
Instruction Fuzzy Hash: 9351E1316081A18BE7118B698C517EFBBB6EFCA214F098567D4B6DB291C6358882C751

Uniqueness

Uniqueness Score: -1.00%

Function 062595BD, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.267358172.0000000006250000.00000040.00000001.sdmp, Offset: 06250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff597893c5034e66d416ef73f4784d708b3b6e23afdcdfb2dd04fdf6f3cdab0
Instruction ID: 5f9656293f9df8e14f58ce3a4ecbb43ff2077b8402e46da99201b3e80f0b3ed9
Opcode Fuzzy Hash: dff597893c5034e66d416ef73f4784d708b3b6e23afdcdfb2dd04fdf6f3cdab0
Instruction Fuzzy Hash: D8419AB4D00348DFCB20CFA9C984ADEBBF5AF09304F21942AE819BB250DB749985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 06256808, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.267358172.0000000006250000.00000040.00000001.sdmp, Offset: 06250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc0cf558cbcb29a985bf2bf4c1c01f26b54c7caf9449d1b13d5b8bb746a71945
Instruction ID: 14c39b7aaa8a826dc04ae134949fafb01dfb98e7b521f5c8137557ab7086fef3
Opcode Fuzzy Hash: cc0cf558cbcb29a985bf2bf4c1c01f26b54c7caf9449d1b13d5b8bb746a71945
Instruction Fuzzy Hash: 5D41BCB4D142489FDF60DFA9C584B9EFBF0EB09314F60902AE815BB260DB74A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0625731F, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.267358172.0000000006250000.00000040.00000001.sdmp, Offset: 06250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fb62c2f3b4a5a7fe31b30d909a6fb1ba3a89370c76cfd4d40205981d95f4802
Instruction ID: 83ef3edb816cc9aa6a8aa0d54903dcffe9cd6d49c4c160f5bc8fc62a1a70e3cc
Opcode Fuzzy Hash: 0fb62c2f3b4a5a7fe31b30d909a6fb1ba3a89370c76cfd4d40205981d95f4802
Instruction Fuzzy Hash: AF219EB4D04209EFDB54CFAAC444AEEBBF1AB49360F10E529EC14B7250D7348A81CF98

Uniqueness

Uniqueness Score: -1.00%

Function 06257328, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.267358172.0000000006250000.00000040.00000001.sdmp, Offset: 06250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39347c3aff05c783e0437bcd4843fdf41aeee58fb375b92ab7c63bd841867959
Instruction ID: 8143a37f71e3b1592573c73dadf0becbf8891ac81b1a83baf61c86ab4b8ae5f5
Opcode Fuzzy Hash: 39347c3aff05c783e0437bcd4843fdf41aeee58fb375b92ab7c63bd841867959
Instruction Fuzzy Hash: 70215D74D14209EFDB54CFAAD484AEEBBB1AB49360F10E129EC24B7250D7349985CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0625725F, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.267358172.0000000006250000.00000040.00000001.sdmp, Offset: 06250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bf0d893b6f767617d1bba0879945c1112d2961ed90710af19a751f9177bb7fb
Instruction ID: 7f6c8e744eb791c627003508857056d8557e1e7c8d723c95a20c54b2772e568c
Opcode Fuzzy Hash: 7bf0d893b6f767617d1bba0879945c1112d2961ed90710af19a751f9177bb7fb
Instruction Fuzzy Hash: D8F097B4D0520C9F8F04CFA9D4418DEFBF2AB59310F10A12AE804B3310E73099418FA8

Uniqueness

Uniqueness Score: -1.00%

Function 06257260, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.267358172.0000000006250000.00000040.00000001.sdmp, Offset: 06250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction ID: b9629fb58d01765ca2cc798bbcb8fa9573ba3d3a0d77fbf84b14f5b786945610
Opcode Fuzzy Hash: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction Fuzzy Hash: F9F042B5D1520C9F8F04DFA9D5418EEFBF2AB5A310F10A16AE818B3310E73599518FA8

Uniqueness

Uniqueness Score: -1.00%

Function 06257257, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.267358172.0000000006250000.00000040.00000001.sdmp, Offset: 06250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e096e9115a4dab5ff2101b4c133270a6ed5e4489f1e40002736ad0f5212a11
Instruction ID: 4b43c9b52f8c3c0778178db4cd3862a5ad761521db6115a1406f9a1e1b3f7e16
Opcode Fuzzy Hash: 37e096e9115a4dab5ff2101b4c133270a6ed5e4489f1e40002736ad0f5212a11
Instruction Fuzzy Hash: DEE01234D5120C8F8B10CFA4C8448EDFBF2EB6E220F20A025EC45B3710D6328D918FA8

Uniqueness

Uniqueness Score: -1.00%

Function 06251509, Relevance: 1.6, APIs: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?), ref: 062515A9

Memory Dump Source

Source File: 00000001.00000002.267358172.0000000006250000.00000040.00000001.sdmp, Offset: 06250000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 08082c27ccabf5391f1208fda3fce7bdaf72e9d0a2da579446ba0d2790b53424
Instruction ID: 3c747673b77f2fb58eca7d3cc48b26643731f759ec33e3ea3ea6f14d85a32c2b
Opcode Fuzzy Hash: 08082c27ccabf5391f1208fda3fce7bdaf72e9d0a2da579446ba0d2790b53424
Instruction Fuzzy Hash: C631DDB4D05259DFCB10CFA9D884AEEFBF5BF49314F15806AE805B7250D374A945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 06251510, Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?), ref: 062515A9

Memory Dump Source

Source File: 00000001.00000002.267358172.0000000006250000.00000040.00000001.sdmp, Offset: 06250000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 5133aa11366505d29d6c781a4e24a11c5a8c5f1355bf5eaa3a17d3b9b0b1046a
Instruction ID: 53bcfcf46cec5d074714a214a67df6e69aec4b1fde1b8bd555a35aea454694a0
Opcode Fuzzy Hash: 5133aa11366505d29d6c781a4e24a11c5a8c5f1355bf5eaa3a17d3b9b0b1046a
Instruction Fuzzy Hash: 2531BAB4D012589FCB10CFA9D884AEEFBF5BB49314F14806AE805B7210D734AA45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0247AC40, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0247ACF7

Memory Dump Source

Source File: 00000001.00000002.257079063.0000000002470000.00000040.00000001.sdmp, Offset: 02470000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 035db95d790074e5d0f5d5eca29592b24c91a3a2e88b2f160c59582a43e9bb5d
Instruction ID: 3f4564d0a2e38dfa214a99877f2193d278ea983026f7d0dd02fb9c12b9a9c734
Opcode Fuzzy Hash: 035db95d790074e5d0f5d5eca29592b24c91a3a2e88b2f160c59582a43e9bb5d
Instruction Fuzzy Hash: 7211C4327042346BE7249B698C46BAF729BEB80314F21453BB21AD72C0CFB49D458691

Uniqueness

Uniqueness Score: -1.00%

Function 008ED4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.256510181.00000000008ED000.00000040.00000001.sdmp, Offset: 008ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ae69b27cc981aa7738cc48b4c52906754a8f5887d311b06031c870edef89e89
Instruction ID: 2612e85421cab28bb7d221a4328a6fb619e63f371e025aa67632ee12acafc0a6
Opcode Fuzzy Hash: 5ae69b27cc981aa7738cc48b4c52906754a8f5887d311b06031c870edef89e89
Instruction Fuzzy Hash: 392133B1504384DFDB05DF14D9C0B26BB65FB9832CF348569E9068A246C336D85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 008ED3B4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.256510181.00000000008ED000.00000040.00000001.sdmp, Offset: 008ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89243d591274562930a359edf35dceb141c92eb376dbe1255b967eef0ea65a8f
Instruction ID: 54540dce619af02901b2030d72ccd3c2f1e92f1f962ad4a4dd8a09bb1332e441
Opcode Fuzzy Hash: 89243d591274562930a359edf35dceb141c92eb376dbe1255b967eef0ea65a8f
Instruction Fuzzy Hash: 942128B1504384DFCB05DF14D8C0B16BB65FBA532CF24C569E9058B286C336E85AD7A2

Uniqueness

Uniqueness Score: -1.00%

Function 008ED49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.256510181.00000000008ED000.00000040.00000001.sdmp, Offset: 008ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
Instruction ID: dcd6a71d8acb5797d54a2735bb4802e63952821cd8418ab3bfea2178a617d3d7
Opcode Fuzzy Hash: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
Instruction Fuzzy Hash: 0211B176804380CFCB12CF14D5C4B16BF71FB95324F2486A9D8054B656C336D85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 008ED3AF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.256510181.00000000008ED000.00000040.00000001.sdmp, Offset: 008ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
Instruction ID: 3a06bab43aaf26d5f856767673392cebaea28240bb3be360c1c1b1d963fa7d99
Opcode Fuzzy Hash: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
Instruction Fuzzy Hash: EB11D3B6404380CFCB12CF10D5C4B16BF71FB95328F24C6A9D8454B656C336E85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 008ED805, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.256510181.00000000008ED000.00000040.00000001.sdmp, Offset: 008ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3491cfe33f2cb3126de6c71838712ed2c2f2c7d6d7b8a446cf84d8627677519
Instruction ID: 30e85686eae0c3966368e7d44e268edacc75721b26efd6b366d9027150768905
Opcode Fuzzy Hash: f3491cfe33f2cb3126de6c71838712ed2c2f2c7d6d7b8a446cf84d8627677519
Instruction Fuzzy Hash: DC01A7714083E4DAD7205F27CC84767BB98FF52378F18887AEE149B246C7759848D6B1

Uniqueness

Uniqueness Score: -1.00%

Function 008ED804, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.256510181.00000000008ED000.00000040.00000001.sdmp, Offset: 008ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f6a2673261f880246e13d272cbe87e18ca8e14973dd9a5bcea4ed4b66c2019a
Instruction ID: 1c680abdbfbe43f9805d7791308bf002de7207866446e76f73918f65b35622fe
Opcode Fuzzy Hash: 1f6a2673261f880246e13d272cbe87e18ca8e14973dd9a5bcea4ed4b66c2019a
Instruction Fuzzy Hash: ACF06271404394AEE7108F1ACCC4B66FB98EB52774F18C46AED189B286C3799C48CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06257ECF, Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.267358172.0000000006250000.00000040.00000001.sdmp, Offset: 06250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac0526516633fe82671c967b8d23dfa9f957009407af1618c60c2c99fcc461f9
Instruction ID: a8028848301ca9fd624ed263299f7c1b303afce10bc2db00b1434ca8b3a43320
Opcode Fuzzy Hash: ac0526516633fe82671c967b8d23dfa9f957009407af1618c60c2c99fcc461f9
Instruction Fuzzy Hash: 8CD12831C2074A8ACB10EB74D994AADB771FFD5300F118B9AE54977224FB706AC9CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02478BC8, Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.257079063.0000000002470000.00000040.00000001.sdmp, Offset: 02470000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4807ac4f181a1f75c7a1e6f0cf285078757454ea566f3ebdc5cd44b6e7e13ab
Instruction ID: 87af8b230a39feb469e30484287c14a1444562d38cf1ef9589e1467ef9e412f4
Opcode Fuzzy Hash: c4807ac4f181a1f75c7a1e6f0cf285078757454ea566f3ebdc5cd44b6e7e13ab
Instruction Fuzzy Hash: 2BB16C74E08114CFCB14CBA8C585BEEB7B2EF88300F55856AE426AB355D734EC82DB91

Uniqueness

Uniqueness Score: -1.00%

Function 06257EE0, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.267358172.0000000006250000.00000040.00000001.sdmp, Offset: 06250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c6c415088904a762b039d0f59f55892b352666527b734931dbae46684a018da
Instruction ID: 9ec5d81f4548f301dbc047e5886029adcd3c3d59f17fd8baccba3daef5453f4b
Opcode Fuzzy Hash: 7c6c415088904a762b039d0f59f55892b352666527b734931dbae46684a018da
Instruction Fuzzy Hash: 6AD11731C20B4A8ACB10EB74D994AADB371FFD5300F518B9AE54977224FB706AC9CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02479808, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.257079063.0000000002470000.00000040.00000001.sdmp, Offset: 02470000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0e8a290f6d14e406bec4d18f1c5897bc367bba92608aa71ca21ff7778cd1190
Instruction ID: 1a22ad58aee67edbd0ea96116f029d5881ff08ba214aaa3c2c1c606168a7a464
Opcode Fuzzy Hash: f0e8a290f6d14e406bec4d18f1c5897bc367bba92608aa71ca21ff7778cd1190
Instruction Fuzzy Hash: DB512571B181808BE7118A6988113EBBBB6EFC6214F0A456BD5F6CB791CB34C9C6C352

Uniqueness

Uniqueness Score: -1.00%

Function 06250006, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.267358172.0000000006250000.00000040.00000001.sdmp, Offset: 06250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d75d073cc1a82b9f07f6877a6cec61ec6f4ae1d77c6a629fcce1816da9c715e
Instruction ID: 33560bc32ccb6b593faf24b5c271f4bf38d7166dd5cd6b97d755c1d977ae7aa4
Opcode Fuzzy Hash: 3d75d073cc1a82b9f07f6877a6cec61ec6f4ae1d77c6a629fcce1816da9c715e
Instruction Fuzzy Hash: D5413EB1E056589FEB19CF6ACC517CABBB3AFC9300F05C0AAD448AB265DB304945CF61

Uniqueness

Uniqueness Score: -1.00%

Function 06256FFC, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.267358172.0000000006250000.00000040.00000001.sdmp, Offset: 06250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c946299c20b4fd236ac96e21d4609322bc51227e8be9f980f22f7466b361a40c
Instruction ID: 3a23a05182f19c99ba919381e42bb07c07e6f8ec9cd58e1c298519640982c68d
Opcode Fuzzy Hash: c946299c20b4fd236ac96e21d4609322bc51227e8be9f980f22f7466b361a40c
Instruction Fuzzy Hash: 7C318BB4D01209EFCB54CFA9D884AADBBF1BB89350F24912AE814B7350D7359945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 06257008, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.267358172.0000000006250000.00000040.00000001.sdmp, Offset: 06250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1320ff8309adcfa6fd53a224951afbdd7824d5e1af2bb73e1b67c5437854279e
Instruction ID: a4919729243befc5b0527177462ffa23eb4a63126a3c623ab6d1d75149cfc770
Opcode Fuzzy Hash: 1320ff8309adcfa6fd53a224951afbdd7824d5e1af2bb73e1b67c5437854279e
Instruction Fuzzy Hash: 7E318CB4D01209EFCB54CFA9D484AEEBBF2BB89310F24912AE814B7390D7359945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0625F24F, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.267358172.0000000006250000.00000040.00000001.sdmp, Offset: 06250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9859452e45c3402e22567b82c226efc6135e650bf99ff686c48fa39731dae08b
Instruction ID: ec2fa1165f0500e265f745920c8b4977e90a3d81e8b24bc4d726c3fe9c0c782c
Opcode Fuzzy Hash: 9859452e45c3402e22567b82c226efc6135e650bf99ff686c48fa39731dae08b
Instruction Fuzzy Hash: 6121D8B1E116189BEB58CFABD94069EFBF7AFC8300F14C17A981CAB255DB3049468F40

Uniqueness

Uniqueness Score: -1.00%

Function 0625F250, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.267358172.0000000006250000.00000040.00000001.sdmp, Offset: 06250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b964537e2e471c5d352041bcd3b5f1f44f3e23d00213a72a693a33f337e1ce
Instruction ID: a477172adfba24fbef454e742e8d3caf8ac12425ca157c1663a20a14ca0dbb64
Opcode Fuzzy Hash: 44b964537e2e471c5d352041bcd3b5f1f44f3e23d00213a72a693a33f337e1ce
Instruction Fuzzy Hash: D421D8B1E116189BEB58CFABD94069EFAF7AFC8300F14C17A9818AB255DB3049468F40

Uniqueness

Uniqueness Score: -1.00%

Function 06258489, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.267358172.0000000006250000.00000040.00000001.sdmp, Offset: 06250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d34a4c435d2e397d415b5a7eb91fd36b957fdd08463b9a9cd01f3a5c14895c36
Instruction ID: 23facab1616e52758ed8e53c51811dc005e8b144225a270d53c2a0fc10607591
Opcode Fuzzy Hash: d34a4c435d2e397d415b5a7eb91fd36b957fdd08463b9a9cd01f3a5c14895c36
Instruction Fuzzy Hash: 1821E971E116189BEB28CFABD94078DFBF7AFC8300F14C16AD819A7254EB7549468F00

Uniqueness

Uniqueness Score: -1.00%

Function 06252558, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.267358172.0000000006250000.00000040.00000001.sdmp, Offset: 06250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb09cb052706a8dadca3fbc23dde4015fac336350d5ab80df2fbc6d0f250641
Instruction ID: 0926ee95bcad2f5e5323c29e77ee20ccfd122824f6ab0938db40e71288820f86
Opcode Fuzzy Hash: 1eb09cb052706a8dadca3fbc23dde4015fac336350d5ab80df2fbc6d0f250641
Instruction Fuzzy Hash: 6B21BAB1D056498BEB58CFABC95429DFBF3AFC8300F14C06AC818AB269DB754506CE50

Uniqueness

Uniqueness Score: -1.00%

Function 06258490, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.267358172.0000000006250000.00000040.00000001.sdmp, Offset: 06250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88916c16adfd2b205cba8ce776ad7e5e971acb9e7db77be40b94790a95cf0f39
Instruction ID: 546fc5dcf8d443293ebac85bff1bc3d7e23fcc2236bdb1458f31b9182ed1638a
Opcode Fuzzy Hash: 88916c16adfd2b205cba8ce776ad7e5e971acb9e7db77be40b94790a95cf0f39
Instruction Fuzzy Hash: AD21E571E116189BEB28CFABD94078DFBF7AFC8200F14C17AD819A7254EB7449468F40

Uniqueness

Uniqueness Score: -1.00%

Function 06252568, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.267358172.0000000006250000.00000040.00000001.sdmp, Offset: 06250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9252892cddf209762ba5daddb2c99a4a63ef44bfbe82ed0a5b7f189498baf716
Instruction ID: 3886f8022cfb33fc2284dd80ca4aecbfb9b3b75f08445d921f036a0a83b27fc5
Opcode Fuzzy Hash: 9252892cddf209762ba5daddb2c99a4a63ef44bfbe82ed0a5b7f189498baf716
Instruction Fuzzy Hash: 08219CB1D016098BEB58CFABC94429DFBF7AFC8300F14C169C818A7264EB754506CE50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 4764 Parent PID: 5344 RegAsm.exeCOMMON

Executed Functions

Function 06386898, Relevance: 1.7, APIs: 1, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.490798798.0000000006380000.00000040.00000001.sdmp, Offset: 06380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf7598b82f7c9f067de77c15e5f0cb9c18945c1b64b0213b747dad1f2cd2e78a
Instruction ID: 4c41f37bdfc6cd33666376da5dad524b0099e696a368d948e6081051fa4df28b
Opcode Fuzzy Hash: bf7598b82f7c9f067de77c15e5f0cb9c18945c1b64b0213b747dad1f2cd2e78a
Instruction Fuzzy Hash: 1D819871D043198FDB50DFA9C8817DEFBB5FF4A304F20802AE515AB240EB749949CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E593E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 04E5962E

Memory Dump Source

Source File: 00000005.00000002.489573722.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a91484406339356949803d6a12959ffd41af10e6851785501cd3fb0bdf24a0b4
Instruction ID: daa0374e11366bbb4bfe06788ab455c2b0629be85c6e93c9df6b8cce176f92c0
Opcode Fuzzy Hash: a91484406339356949803d6a12959ffd41af10e6851785501cd3fb0bdf24a0b4
Instruction Fuzzy Hash: 527116B0A00B058FD724DF2AD48179ABBF1FF88318F10892DD98AD7A51D774F8458B91

Uniqueness

Uniqueness Score: -1.00%

Function 0638217C, Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06386A78

Memory Dump Source

Source File: 00000005.00000002.490798798.0000000006380000.00000040.00000001.sdmp, Offset: 06380000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: bf0022294fb6befdeacb30919274e610ffdafcc392e65110d8c28779fa9bd184
Instruction ID: 4779890e95f28067daa6f31dfe8e3221ac9377de6be5b23ed93262ae75c20c7a
Opcode Fuzzy Hash: bf0022294fb6befdeacb30919274e610ffdafcc392e65110d8c28779fa9bd184
Instruction Fuzzy Hash: A35103B1D003599FDB50DFA9D881BDEBBB5FF49304F20812AE814AB250DB749849CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04E5D9E8, Relevance: 1.6, APIs: 1, Instructions: 126COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E5FD0A

Memory Dump Source

Source File: 00000005.00000002.489573722.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5223133f93617f6ea1df94b7118a2c82eb0da15539d60256862a5d60b11bd993
Instruction ID: d928120afebef2b0b92000acc32fe250794483e5ff6c5c005b76da7b017b1801
Opcode Fuzzy Hash: 5223133f93617f6ea1df94b7118a2c82eb0da15539d60256862a5d60b11bd993
Instruction Fuzzy Hash: 5251E3B1D04349DFDF14CFA9C880ADEBBB1BF48314F24852AE819AB210D770A845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04E5FBEC, Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E5FD0A

Memory Dump Source

Source File: 00000005.00000002.489573722.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9fde52a20b5351d5163565cffd3e438e35253b8f9fe582d9f3ef2ae40ba47119
Instruction ID: 816b6d70c7d874715d129d7426b49ba1038379f310e2e6b91c33dc5b5104b4bb
Opcode Fuzzy Hash: 9fde52a20b5351d5163565cffd3e438e35253b8f9fe582d9f3ef2ae40ba47119
Instruction Fuzzy Hash: 1A51C0B1D10209DFDF14CFA9C884ADEBBB5FF48314F24852AE819AB210D775A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04E5DA04, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E5FD0A

Memory Dump Source

Source File: 00000005.00000002.489573722.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0938172ab8f1f4a6e2c6b6b04de1172df1e0a8d75f7fee4680f03a7126cf0998
Instruction ID: 651581cf98ab79c430976f81d4e3cf4d08c8f0e139925cfdae048c5d02977e3a
Opcode Fuzzy Hash: 0938172ab8f1f4a6e2c6b6b04de1172df1e0a8d75f7fee4680f03a7126cf0998
Instruction Fuzzy Hash: 4151A0B1D10309DFDF14CF99C884ADEBBB5BF48314F64852AE819AB210D775A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04FA45F4, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 04FA46B1

Memory Dump Source

Source File: 00000005.00000002.489785366.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f3c9c5177bb078285c54d3a04ddf5537f9d377b69e60253f776f2917a37923cc
Instruction ID: 7c417c0e5f785dc0b1abb5d12548a808bb4af49a81e1f629af067fcd9409e2ea
Opcode Fuzzy Hash: f3c9c5177bb078285c54d3a04ddf5537f9d377b69e60253f776f2917a37923cc
Instruction Fuzzy Hash: 5E4104B1C00218CFDB24DFA9C8857DEBBB5BF49308F20815AD558BB250DBB56946CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04FA3474, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 04FA46B1

Memory Dump Source

Source File: 00000005.00000002.489785366.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 167dee785eee513bd60cb6f1f0db9989c2d3d372f632824f320ad4779c78086c
Instruction ID: 20519d34be2e26922bba1d57a8837a8f5afc61f9fd2a8895a69cba8e6268f088
Opcode Fuzzy Hash: 167dee785eee513bd60cb6f1f0db9989c2d3d372f632824f320ad4779c78086c
Instruction Fuzzy Hash: 5041F3B0C04658CBDB24DFA9C8457DEBBB5BF49308F208159D548BB250DBB5694ACFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04FA2470, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04FA2531

Memory Dump Source

Source File: 00000005.00000002.489785366.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 2e0649d79a589512adafa078ed520e5bef57e2b21c293c41ad0f0ef06a9af4af
Instruction ID: 2f04afe2406d70ef4ea923919c75211e41eaa4987d289d1d8f76ef6e2769baea
Opcode Fuzzy Hash: 2e0649d79a589512adafa078ed520e5bef57e2b21c293c41ad0f0ef06a9af4af
Instruction Fuzzy Hash: 694109B5A00205DFDB14CF99C888AAABBF5FB88314F25C499D519AB321D774E845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04FAB898, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.489785366.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: ebd4906b9a2f902889651b8b6a9d46db436dd6382796a1ade2f62752e2212afe
Instruction ID: bf547c235d79ee37827c4248f50feaccb610bf4cf8956bcff73e8e63d8b6aacd
Opcode Fuzzy Hash: ebd4906b9a2f902889651b8b6a9d46db436dd6382796a1ade2f62752e2212afe
Instruction Fuzzy Hash: C6317CB19042499FDB11CFA9D840ADEBFF8EF09310F14845AF654AB211C335A965DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E5A14C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04E5BCC6,?,?,?,?,?), ref: 04E5BD87

Memory Dump Source

Source File: 00000005.00000002.489573722.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ae3968b7179a8390bc7a016143b6d9d12d388e55773bc04e3f41f11e8b893e9e
Instruction ID: 2c9cd9331f630f4ebb9f9a16e7480c4093a478c0f5b72bc1fd685149a65c63a5
Opcode Fuzzy Hash: ae3968b7179a8390bc7a016143b6d9d12d388e55773bc04e3f41f11e8b893e9e
Instruction Fuzzy Hash: 7621E5B5D002489FDB10CF9AD884AEEBBF4EB48314F14841AE918A3310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E5BCF9, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04E5BCC6,?,?,?,?,?), ref: 04E5BD87

Memory Dump Source

Source File: 00000005.00000002.489573722.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 56ff72ab1f0ca013d111168eae8c269c2860cce6e5d833dd5a015346b930e0a2
Instruction ID: 7a063ea17fba95770b1ed5e98230895e19dc6fdc817c8aed109aaa3951935ac7
Opcode Fuzzy Hash: 56ff72ab1f0ca013d111168eae8c269c2860cce6e5d833dd5a015346b930e0a2
Instruction Fuzzy Hash: 0621C4B5D00258DFDB10CFA9D884AEEBBF4EB48324F14841AE958A7310D378A954CF61

Uniqueness

Uniqueness Score: -1.00%

Function 04FAA4F8, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,04FAB8B2,?,?,?,?,?), ref: 04FAB957

Memory Dump Source

Source File: 00000005.00000002.489785366.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 9fc2af4185a804f94cb740efc79c797d4190e5d42239843bb8d197c762ebc030
Instruction ID: fb72c0c28e4c47b8a81c3f3999554b499d18ace3d67ae54e438854fd8b5a2f14
Opcode Fuzzy Hash: 9fc2af4185a804f94cb740efc79c797d4190e5d42239843bb8d197c762ebc030
Instruction Fuzzy Hash: 22218CB5804249DFDB10CFA9C844BEEBFF8EF58314F14841AE658A3210C335A955DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04FAA504, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,04FAB8B2,?,?,?,?,?), ref: 04FAB957

Memory Dump Source

Source File: 00000005.00000002.489785366.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 200ac2e6eb1c4b9e82421541bafd5416cc497f515823737e681bca3407d2024f
Instruction ID: 0fd82baa8bf87ae9f70964a4378d7715d93b41361e5795b885af2688770f6d13
Opcode Fuzzy Hash: 200ac2e6eb1c4b9e82421541bafd5416cc497f515823737e681bca3407d2024f
Instruction Fuzzy Hash: 3E116AB5800249DFDB10CF9AC844BDEBFF8EB48314F14841AEA54B3210C334A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E58768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,04E596A9,00000800,00000000,00000000), ref: 04E598BA

Memory Dump Source

Source File: 00000005.00000002.489573722.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b3be60309d97cb4dd56f1c5bcaf22460bbaedc44b2f9ba9c80f18af9b04161c4
Instruction ID: 1871f82b318b2750dab982c357decd464f30de528702dca355a96483998ea2f4
Opcode Fuzzy Hash: b3be60309d97cb4dd56f1c5bcaf22460bbaedc44b2f9ba9c80f18af9b04161c4
Instruction Fuzzy Hash: 2311F2B5D002499BDB10CF9AC844BDEFBF4EB48324F10842AE919A7611C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04E5984F, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,04E596A9,00000800,00000000,00000000), ref: 04E598BA

Memory Dump Source

Source File: 00000005.00000002.489573722.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a81a2c3794774e48deb95b056568018cb0875904d93f35b0948dfbde3d3ba693
Instruction ID: 5ac3506cd763eee3dadb8d18c3cd5ed30689820b6309756d211fe45e2af52829
Opcode Fuzzy Hash: a81a2c3794774e48deb95b056568018cb0875904d93f35b0948dfbde3d3ba693
Instruction Fuzzy Hash: 8A11E2B6D002498FDB10CF9AD844BDEFBF4EB89314F14842AE929A7610C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04FA32D8, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,029453E8,00000000,?), ref: 04FAE73D

Memory Dump Source

Source File: 00000005.00000002.489785366.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d8b2ad16b6d743d6da62c49ac3a637973886f31e9099655f5a526027913de75e
Instruction ID: 053a338075e50433066e57ba6d373d74442a7fa0175a5703b71241504ed383a6
Opcode Fuzzy Hash: d8b2ad16b6d743d6da62c49ac3a637973886f31e9099655f5a526027913de75e
Instruction Fuzzy Hash: B41128B58002499FDB10CF9AC845BEEFBF8EB58324F10841AE554A3341D374A955CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04FAE6D8, Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,029453E8,00000000,?), ref: 04FAE73D

Memory Dump Source

Source File: 00000005.00000002.489785366.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 084660b0dd921ff132ac115a4c48bffa67adc689510492603415a69759d66708
Instruction ID: a2325365848aa52a43206889c5eded91109032ab8ef261d851949cd6b21cf61e
Opcode Fuzzy Hash: 084660b0dd921ff132ac115a4c48bffa67adc689510492603415a69759d66708
Instruction Fuzzy Hash: 1F1158B5800209CFDB10CF9AC884BEEBBF4FB58324F20851AE524A3250C374A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04FAD238, Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000018,00000001,?), ref: 04FAD29D

Memory Dump Source

Source File: 00000005.00000002.489785366.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6772f66ba338f51aada454a7a7025850840774916f57792239641ab1bb300ed2
Instruction ID: 67f57fe97a2ca5650383205846be44cc5131368d97b216b7f84ddd0340b00b85
Opcode Fuzzy Hash: 6772f66ba338f51aada454a7a7025850840774916f57792239641ab1bb300ed2
Instruction Fuzzy Hash: D81122B5C00249DFDB20DF9AC885BDEFBF4EB48364F10881AE918A7610C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04FAA548, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 04FABCBD

Memory Dump Source

Source File: 00000005.00000002.489785366.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e95ff93ddd267f8cd5a37c9c98360eb71c36adf2bd99d0e1a53fa1eb75813df5
Instruction ID: c7e2d38c868032612a677d19c374f40209b2de10880a1ca73f938d31fddc116d
Opcode Fuzzy Hash: e95ff93ddd267f8cd5a37c9c98360eb71c36adf2bd99d0e1a53fa1eb75813df5
Instruction Fuzzy Hash: D811F2B5900248DFDB10DF9AC885BDEBBF8EB48324F10841AE968A7300D375A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04FA1540, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000020A,?,?,?,?,?,?,04FA226A,?,00000000,?), ref: 04FAC435

Memory Dump Source

Source File: 00000005.00000002.489785366.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 44e8d748f706ffd6894a48b32630ab3db21b878aa8ec27ad53222dbfc8adb49d
Instruction ID: 7e6ba7cbbb90cbadf2ff7522d63256027c10d8886348d0b4e7998039757d7430
Opcode Fuzzy Hash: 44e8d748f706ffd6894a48b32630ab3db21b878aa8ec27ad53222dbfc8adb49d
Instruction Fuzzy Hash: 2F11F5B58003489FDB10DF99C845BEEBBF8EB49324F10841AE958A7700D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04FA50D4, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000018,00000001,?), ref: 04FAD29D

Memory Dump Source

Source File: 00000005.00000002.489785366.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: be60c44473017e98c28b7b2b412f12ba2a286eb771c86cd81ab8802d8f82265f
Instruction ID: 1e0e6c701cf59f1d72a90747a3cbd9d259c944282e306b15718e30dce2e6a137
Opcode Fuzzy Hash: be60c44473017e98c28b7b2b412f12ba2a286eb771c86cd81ab8802d8f82265f
Instruction Fuzzy Hash: 261106B58002489FEB10DF9AC845BDEFBF8EB48324F10841AE918B7700D375A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E595C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 04E5962E

Memory Dump Source

Source File: 00000005.00000002.489573722.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b58db140c6a4be5f6f0fb7e4d3ced6f50f4aa222756b10547e291fd1adf5b78b
Instruction ID: 844be6aa2ae4e3c83d6dabd178fedd9daddd052fd6674468d83703f92e516193
Opcode Fuzzy Hash: b58db140c6a4be5f6f0fb7e4d3ced6f50f4aa222756b10547e291fd1adf5b78b
Instruction Fuzzy Hash: AB11E0B5C00649CFDB10CF9AC844BDEFBF4AB89324F10881AD829A7610D375A549CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E5DA3C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,04E5FE28,?,?,?,?), ref: 04E5FE9D

Memory Dump Source

Source File: 00000005.00000002.489573722.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: e95590c6c14ccd857c5f8576a72aa037e8bc57ceda91fffa6e0432ee0fe87407
Instruction ID: 0d980b7e9d3bcfe50b51834ac331470340dd1d0bd56d18a3c4a8bcd0edd57756
Opcode Fuzzy Hash: e95590c6c14ccd857c5f8576a72aa037e8bc57ceda91fffa6e0432ee0fe87407
Instruction Fuzzy Hash: AE11F2B59002489FDB10DF9AD489BDEBBF8EB48324F10845AE919A7341D374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04FADC60, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 04FAF435

Memory Dump Source

Source File: 00000005.00000002.489785366.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 030e90587ed4c0600bde75e01c0a2869ad25794bc1c0148b0360b4b4c77f746c
Instruction ID: 0022b355f67982425c0644707fb1db0011db8a7641d2105bd12bd75cffbcf3c1
Opcode Fuzzy Hash: 030e90587ed4c0600bde75e01c0a2869ad25794bc1c0148b0360b4b4c77f746c
Instruction Fuzzy Hash: 291133B49002488FDB10DF9AC444B9EBBF4EB48324F10845AE519B7300D374A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04FAF3D8, Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 04FAF435

Memory Dump Source

Source File: 00000005.00000002.489785366.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 0b9369e61131001bd3061f17fee6fdec2df35fbe2d24c315e68f6c86b47eace0
Instruction ID: 9df1b115fb426e776c428c307229d58fc1ddbe60278c1830d37b72da62a89bc4
Opcode Fuzzy Hash: 0b9369e61131001bd3061f17fee6fdec2df35fbe2d24c315e68f6c86b47eace0
Instruction Fuzzy Hash: 671112B5D00248CFCB10CFA9C8847DEBBF4AB48328F20851AE559B7600C334A949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04FAC3D0, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000020A,?,?,?,?,?,?,04FA226A,?,00000000,?), ref: 04FAC435

Memory Dump Source

Source File: 00000005.00000002.489785366.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: fd0c11f1bf47987d56f74d2f5d4d255198d3c5e22bbc99b777d9f90b5ab3708b
Instruction ID: 2a9aefbeac15e18e41d5afe2bb9db5f1275893af3fdd3f8b8de6688a98161417
Opcode Fuzzy Hash: fd0c11f1bf47987d56f74d2f5d4d255198d3c5e22bbc99b777d9f90b5ab3708b
Instruction Fuzzy Hash: 5E1100B5800249CFDB20CF99D885BEEFBF4FB48324F20881AE959A3600D374A555CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E5FE3F, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,04E5FE28,?,?,?,?), ref: 04E5FE9D

Memory Dump Source

Source File: 00000005.00000002.489573722.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: c5903a09a4efe88a85f0422f2f9d85f780b0c9289924608bf3f0836e28ea15bc
Instruction ID: 2479c91b56d66c677b16df6edd72f98b9d2f02a5238593b71a034c0124a33814
Opcode Fuzzy Hash: c5903a09a4efe88a85f0422f2f9d85f780b0c9289924608bf3f0836e28ea15bc
Instruction Fuzzy Hash: E011E2B58002499FDB10DF9AD585BDEFBF8EB48324F20845AE969A7341C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04FABC59, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 04FABCBD

Memory Dump Source

Source File: 00000005.00000002.489785366.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 20b8e21f387f4ecf4d5aa224ebf7e9e9f58200089dd92dd192232c9c624f2934
Instruction ID: ae0ba73c628c874d63b4ddefcfb5c1b26c64599c7013a0027a20d9ead6a59f04
Opcode Fuzzy Hash: 20b8e21f387f4ecf4d5aa224ebf7e9e9f58200089dd92dd192232c9c624f2934
Instruction Fuzzy Hash: 0111D0B5900649CFDB10CF99D884BDEBBF4FB48324F20881AE969A7700D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F3D1D8, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.483856978.0000000000F3D000.00000040.00000001.sdmp, Offset: 00F3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e25f8ed8d8052cbc67e3ce2ac99114565692255d23ad6753c9bfd63ea548e15
Instruction ID: ea61f384a56dc18f1e664f54fd85dd1ede78c4ef6bd11fb093d4838683780193
Opcode Fuzzy Hash: 9e25f8ed8d8052cbc67e3ce2ac99114565692255d23ad6753c9bfd63ea548e15
Instruction Fuzzy Hash: EB21F5B2904240DFDB05DF54E8C0B27BB65FB88334F34C6A9E9054B246C336D856EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F3D4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.483856978.0000000000F3D000.00000040.00000001.sdmp, Offset: 00F3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45aef8cc23290cd6479efd9f8fc45d126666346f82fed1c64725484427858533
Instruction ID: b95b7fd665b8b98d4bf5e618af411d5986909657652eb1dde3993aaae753ba2b
Opcode Fuzzy Hash: 45aef8cc23290cd6479efd9f8fc45d126666346f82fed1c64725484427858533
Instruction Fuzzy Hash: F02128B1904244DFDB05DF14E8C0B26BF65FB94338F34C569E9064B246C336D855EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F4D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484011521.0000000000F4D000.00000040.00000001.sdmp, Offset: 00F4D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b6a199d96af0634dca2f4502e5e1db98e12573fd92651d90cd5f0ca2900718c
Instruction ID: cb32ad15007ead31185c7642b7840961da7eaa5fcd0e2634bf86bc4950ddafbd
Opcode Fuzzy Hash: 1b6a199d96af0634dca2f4502e5e1db98e12573fd92651d90cd5f0ca2900718c
Instruction Fuzzy Hash: 8321D375904240DFCB14DF28D8C4B16BF65EB84328F30C5A9ED0A4B24AC736D846EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F4D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.484011521.0000000000F4D000.00000040.00000001.sdmp, Offset: 00F4D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f7d71b980b71004d7bfb9508d0f67d52c90140fedbbeee158360e409a5e0d0
Instruction ID: 11091e5a4481c906fce5a728636569c1dbf7d56615c4c0570be55c32ed7503eb
Opcode Fuzzy Hash: 25f7d71b980b71004d7bfb9508d0f67d52c90140fedbbeee158360e409a5e0d0
Instruction Fuzzy Hash: B72150755093C08FCB12CF24D994715BF71EB46324F28C5EAD8498B697C33AD84ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F3D1D3, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.483856978.0000000000F3D000.00000040.00000001.sdmp, Offset: 00F3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5366f0cf882396cf892b45b5465a37a4e959e077736cd978dc79d31370229c1
Instruction ID: 4befc65d2f96cd6309b24c66af97a075c1b80e432275f18bf19e0420b5e4c71b
Opcode Fuzzy Hash: a5366f0cf882396cf892b45b5465a37a4e959e077736cd978dc79d31370229c1
Instruction Fuzzy Hash: 8021B476904240DFCB16CF50D9C4B16BF71FB84324F24C2A9DC440B656C336D85ADBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F3D49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.483856978.0000000000F3D000.00000040.00000001.sdmp, Offset: 00F3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22d5158c653afe0cee1dfa6c020974699e8307e32521adbfa1e69b78cf989a9a
Instruction ID: 7899bc9316a8e140d3b584e303a9ea4dd7474476b78980eda0611cc7518bd09c
Opcode Fuzzy Hash: 22d5158c653afe0cee1dfa6c020974699e8307e32521adbfa1e69b78cf989a9a
Instruction Fuzzy Hash: CF11B176804280CFCB12CF14D5C4B1ABF72FB94334F28C6A9D8050B216C336D85ADBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: RegAsm.exe PID: 6140 Parent PID: 528 RegAsm.exeCOMMON

Executed Functions

Function 024F189D, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 024F1A4B

Memory Dump Source

Source File: 0000000A.00000002.268512449.00000000024F0000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 720bf8bdca91242c10ee7704aa319de68430830574908d4f6e6538b599f5416d
Instruction ID: c17bfddf4841e9dc7eda78da65f5675aa1daba1947b7fe0cdc8e5e3de67f59e4
Opcode Fuzzy Hash: 720bf8bdca91242c10ee7704aa319de68430830574908d4f6e6538b599f5416d
Instruction Fuzzy Hash: 5F7105B0D00219CFDB24CF99C984A9EBBF1BF88314F25812AE919A7350D734A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 024F18A8, Relevance: 1.7, APIs: 1, Instructions: 165COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 024F1A4B

Memory Dump Source

Source File: 0000000A.00000002.268512449.00000000024F0000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 17e9a87dc6f7d8df418b892d18a659b7a1697ca50d1689670c203245fa2747da
Instruction ID: 5ecf0300d9bb1a5dbbf1701b87321e79734816ac1a0f4c4f587b692aeece3e45
Opcode Fuzzy Hash: 17e9a87dc6f7d8df418b892d18a659b7a1697ca50d1689670c203245fa2747da
Instruction Fuzzy Hash: 8E7103B0D00219DFDB24CF99C984A9EBBF1BF88314F25812EE919A7350DB34A945CF91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report wmaJOYGy7Q

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos