Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report SK TAX INV.exe

Overview

General Information

Sample Name:SK TAX INV.exe
Analysis ID:528510
MD5:c2ee32f9d7de6b05472ceda926fd0a6f
SHA1:d4455ac7ec0c49769b645e7471989bd7ee29f6fc
SHA256:84b9fef1f2c0dd3e8f8dc93cf6574d30e2c6e5bc819599fea60c71876df0278d
Tags:exeInvoice
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • SK TAX INV.exe (PID: 3980 cmdline: "C:\Users\user\Desktop\SK TAX INV.exe" MD5: C2EE32F9D7DE6B05472CEDA926FD0A6F)
    • SK TAX INV.exe (PID: 6636 cmdline: C:\Users\user\Desktop\SK TAX INV.exe MD5: C2EE32F9D7DE6B05472CEDA926FD0A6F)
  • dhcpmon.exe (PID: 6980 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: C2EE32F9D7DE6B05472CEDA926FD0A6F)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "f4157c11-54e5-4893-8a60-6856b847", "Group": "Default", "Domain1": "dera31.ddns.net", "Domain2": "195.133.18.211", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000003.00000000.665589656.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000003.00000000.665589656.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.0.SK TAX INV.exe.400000.10.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      3.0.SK TAX INV.exe.400000.10.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      3.0.SK TAX INV.exe.400000.10.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        3.0.SK TAX INV.exe.400000.10.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        3.0.SK TAX INV.exe.400000.8.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 31 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SK TAX INV.exe, ProcessId: 6636, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SK TAX INV.exe, ProcessId: 6636, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SK TAX INV.exe, ProcessId: 6636, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SK TAX INV.exe, ProcessId: 6636, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0.2.SK TAX INV.exe.3b43e10.5.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "f4157c11-54e5-4893-8a60-6856b847", "Group": "Default", "Domain1": "dera31.ddns.net", "Domain2": "195.133.18.211", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
        Multi AV Scanner detection for submitted fileShow sources
        Source: SK TAX INV.exeVirustotal: Detection: 17%Perma Link
        Source: SK TAX INV.exeReversingLabs: Detection: 11%
        Multi AV Scanner detection for domain / URLShow sources
        Source: dera31.ddns.netVirustotal: Detection: 6%Perma Link
        Source: dera31.ddns.netVirustotal: Detection: 6%Perma Link
        Source: 195.133.18.211Virustotal: Detection: 6%Perma Link
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 17%Perma Link
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 20%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 3.0.SK TAX INV.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.SK TAX INV.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.SK TAX INV.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SK TAX INV.exe.3b43e10.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.SK TAX INV.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SK TAX INV.exe.3b113f0.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.SK TAX INV.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SK TAX INV.exe.3b43e10.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SK TAX INV.exe.3b113f0.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.665589656.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.665941289.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.666335348.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.670484046.0000000003B11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: SK TAX INV.exe PID: 3980, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: SK TAX INV.exe PID: 6636, type: MEMORYSTR
        Source: 3.0.SK TAX INV.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.0.SK TAX INV.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.0.SK TAX INV.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.0.SK TAX INV.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.0.SK TAX INV.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: SK TAX INV.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: SK TAX INV.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49777 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49778 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49779 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49780 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49783 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49784 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49785 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49793 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49821 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49824 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49829 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49831 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49853 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49856 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49857 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49859 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49863 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49864 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49865 -> 194.85.248.250:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49866 -> 194.85.248.250:1187
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: dera31.ddns.net
        Source: Malware configuration extractorURLs: 195.133.18.211
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: dera31.ddns.net
        Source: Joe Sandbox ViewASN Name: DATACENTERRO DATACENTERRO
        Source: global trafficTCP traffic: 192.168.2.4:49777 -> 194.85.248.250:1187
        Source: SK TAX INV.exe, 00000000.00000002.668327294.00000000028A1000.00000004.00000001.sdmp, SK TAX INV.exe, 00000000.00000002.668432779.0000000002965000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: unknownDNS traffic detected: queries for: dera31.ddns.net

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 3.0.SK TAX INV.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.SK TAX INV.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.SK TAX INV.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SK TAX INV.exe.3b43e10.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.SK TAX INV.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SK TAX INV.exe.3b113f0.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.SK TAX INV.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SK TAX INV.exe.3b43e10.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SK TAX INV.exe.3b113f0.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.665589656.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.665941289.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.666335348.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.670484046.0000000003B11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: SK TAX INV.exe PID: 3980, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: SK TAX INV.exe PID: 6636, type: MEMORYSTR

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 3.0.SK TAX INV.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.SK TAX INV.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.0.SK TAX INV.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.SK TAX INV.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.0.SK TAX INV.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.SK TAX INV.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.SK TAX INV.exe.3b43e10.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.SK TAX INV.exe.3b43e10.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.0.SK TAX INV.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.SK TAX INV.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.SK TAX INV.exe.3b113f0.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.SK TAX INV.exe.3b113f0.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.0.SK TAX INV.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.SK TAX INV.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.SK TAX INV.exe.3b43e10.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.SK TAX INV.exe.3b43e10.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.SK TAX INV.exe.3b113f0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.SK TAX INV.exe.3b113f0.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000000.665589656.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000000.665589656.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000000.665941289.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000000.665941289.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000000.666335348.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000000.666335348.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.670484046.0000000003B11000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.670484046.0000000003B11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: SK TAX INV.exe PID: 3980, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: SK TAX INV.exe PID: 3980, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: SK TAX INV.exe PID: 6636, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: SK TAX INV.exe PID: 6636, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: SK TAX INV.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 3.0.SK TAX INV.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.0.SK TAX INV.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.0.SK TAX INV.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.0.SK TAX INV.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.0.SK TAX INV.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.0.SK TAX INV.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.0.SK TAX INV.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.0.SK TAX INV.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.0.SK TAX INV.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.SK TAX INV.exe.3b43e10.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.SK TAX INV.exe.3b43e10.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.SK TAX INV.exe.3b43e10.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.0.SK TAX INV.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.0.SK TAX INV.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.0.SK TAX INV.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.SK TAX INV.exe.3b113f0.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.SK TAX INV.exe.3b113f0.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.SK TAX INV.exe.3b113f0.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.0.SK TAX INV.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.0.SK TAX INV.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.0.SK TAX INV.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.SK TAX INV.exe.3b43e10.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.SK TAX INV.exe.3b43e10.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.SK TAX INV.exe.3b113f0.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.SK TAX INV.exe.3b113f0.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000000.665589656.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000000.665589656.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000000.665941289.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000000.665941289.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000000.666335348.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000000.666335348.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.670484046.0000000003B11000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.670484046.0000000003B11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: SK TAX INV.exe PID: 3980, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: SK TAX INV.exe PID: 3980, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: SK TAX INV.exe PID: 6636, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: SK TAX INV.exe PID: 6636, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: C:\Users\user\Desktop\SK TAX INV.exeCode function: 0_2_00426BFF
        Source: C:\Users\user\Desktop\SK TAX INV.exeCode function: 0_2_00DF8250
        Source: C:\Users\user\Desktop\SK TAX INV.exeCode function: 0_2_00DFD2E8
        Source: SK TAX INV.exeBinary or memory string: OriginalFilename vs SK TAX INV.exe
        Source: SK TAX INV.exe, 00000000.00000002.671989261.0000000005CF0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs SK TAX INV.exe
        Source: SK TAX INV.exe, 00000000.00000002.668843928.00000000038AD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs SK TAX INV.exe
        Source: SK TAX INV.exe, 00000000.00000002.671752533.0000000005760000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs SK TAX INV.exe
        Source: SK TAX INV.exe, 00000000.00000002.668327294.00000000028A1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs SK TAX INV.exe
        Source: SK TAX INV.exe, 00000000.00000002.668432779.0000000002965000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs SK TAX INV.exe
        Source: SK TAX INV.exe, 00000003.00000003.684774036.00000000012F3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs SK TAX INV.exe
        Source: SK TAX INV.exeBinary or memory string: OriginalFilenameTypeLibTypeAttribu.exe. vs SK TAX INV.exe
        Source: SK TAX INV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: dhcpmon.exe.3.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: SK TAX INV.exeVirustotal: Detection: 17%
        Source: SK TAX INV.exeReversingLabs: Detection: 11%
        Source: C:\Users\user\Desktop\SK TAX INV.exeFile read: C:\Users\user\Desktop\SK TAX INV.exe:Zone.IdentifierJump to behavior
        Source: SK TAX INV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\SK TAX INV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\SK TAX INV.exe "C:\Users\user\Desktop\SK TAX INV.exe"
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess created: C:\Users\user\Desktop\SK TAX INV.exe C:\Users\user\Desktop\SK TAX INV.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess created: C:\Users\user\Desktop\SK TAX INV.exe C:\Users\user\Desktop\SK TAX INV.exe
        Source: C:\Users\user\Desktop\SK TAX INV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
        Source: C:\Users\user\Desktop\SK TAX INV.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SK TAX INV.exe.logJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@4/7@20/1
        Source: 3.0.SK TAX INV.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.0.SK TAX INV.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 3.0.SK TAX INV.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.0.SK TAX INV.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 3.0.SK TAX INV.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.0.SK TAX INV.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 3.0.SK TAX INV.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.0.SK TAX INV.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 3.0.SK TAX INV.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.0.SK TAX INV.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: C:\Users\user\Desktop\SK TAX INV.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\SK TAX INV.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\SK TAX INV.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{f4157c11-54e5-4893-8a60-6856b8471d8c}
        Source: C:\Users\user\Desktop\SK TAX INV.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
        Source: C:\Users\user\Desktop\SK TAX INV.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: SK TAX INV.exeString found in binary or memory: /TypeLibTypeAttribu;component/views/addbook.xaml
        Source: SK TAX INV.exeString found in binary or memory: views/addbook.baml
        Source: SK TAX INV.exeString found in binary or memory: views/addcustomer.baml
        Source: SK TAX INV.exeString found in binary or memory: /TypeLibTypeAttribu;component/views/addcustomer.xaml
        Source: SK TAX INV.exeString found in binary or memory: a/TypeLibTypeAttribu;component/views/addbook.xamlw/TypeLibTypeAttribu;component/views/borrowfrombookview.xamlm/TypeLibTypeAttribu;component/views/borrowingview.xamlg/TypeLibTypeAttribu;component/views/changebook.xamlo/TypeLibTypeAttribu;component/views/changecustomer.xamlk/TypeLibTypeAttribu;component/views/customerview.xamlo/TypeLibTypeAttribu;component/views/deletecustomer.xamle/TypeLibTypeAttribu;component/views/errorview.xamli/TypeLibTypeAttribu;component/views/smallextras.xamli/TypeLibTypeAttribu;component/views/addcustomer.xaml
        Source: SK TAX INV.exeString found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
        Source: 3.0.SK TAX INV.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 3.0.SK TAX INV.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 3.0.SK TAX INV.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 3.0.SK TAX INV.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 3.0.SK TAX INV.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 3.0.SK TAX INV.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 3.0.SK TAX INV.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 3.0.SK TAX INV.exe.400000.12.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 3.0.SK TAX INV.exe.400000.12.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: C:\Users\user\Desktop\SK TAX INV.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: SK TAX INV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: SK TAX INV.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: SK TAX INV.exe, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.2.SK TAX INV.exe.420000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.0.SK TAX INV.exe.420000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: dhcpmon.exe.3.dr, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.SK TAX INV.exe.b10000.5.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.SK TAX INV.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.SK TAX INV.exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.SK TAX INV.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.SK TAX INV.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.SK TAX INV.exe.b10000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.SK TAX INV.exe.b10000.2.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.SK TAX INV.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.SK TAX INV.exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.SK TAX INV.exe.b10000.7.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.SK TAX INV.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.SK TAX INV.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.SK TAX INV.exe.b10000.9.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.SK TAX INV.exe.b10000.13.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.SK TAX INV.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.SK TAX INV.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.SK TAX INV.exe.b10000.11.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.SK TAX INV.exe.b10000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.SK TAX INV.exe.b10000.3.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 6.0.dhcpmon.exe.920000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 6.2.dhcpmon.exe.920000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\SK TAX INV.exeCode function: 0_2_00429347 push ds; ret
        Source: C:\Users\user\Desktop\SK TAX INV.exeCode function: 0_2_00429361 push ds; retf
        Source: C:\Users\user\Desktop\SK TAX INV.exeCode function: 0_2_004292F5 push ds; ret
        Source: initial sampleStatic PE information: section name: .text entropy: 7.87847086948
        Source: initial sampleStatic PE information: section name: .text entropy: 7.87847086948
        Source: 3.0.SK TAX INV.exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.0.SK TAX INV.exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.0.SK TAX INV.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.0.SK TAX INV.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.0.SK TAX INV.exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.0.SK TAX INV.exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.0.SK TAX INV.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.0.SK TAX INV.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.0.SK TAX INV.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.0.SK TAX INV.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\SK TAX INV.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\SK TAX INV.exeFile opened: C:\Users\user\Desktop\SK TAX INV.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM3Show sources
        Source: Yara matchFile source: 0.2.SK TAX INV.exe.29071c8.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SK TAX INV.exe.2995604.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.668327294.00000000028A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.668432779.0000000002965000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: SK TAX INV.exe PID: 3980, type: MEMORYSTR
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: SK TAX INV.exe, 00000000.00000002.668327294.00000000028A1000.00000004.00000001.sdmp, SK TAX INV.exe, 00000000.00000002.668432779.0000000002965000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: SK TAX INV.exe, 00000000.00000002.668327294.00000000028A1000.00000004.00000001.sdmp, SK TAX INV.exe, 00000000.00000002.668432779.0000000002965000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
        Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680Thread sleep time: -7378697629483816s >= -30000s
        Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680Thread sleep time: -240000s >= -30000s
        Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6676Thread sleep count: 684 > 30
        Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680Thread sleep time: -239859s >= -30000s
        Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6676Thread sleep count: 1731 > 30
        Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 3184Thread sleep time: -31962s >= -30000s
        Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680Thread sleep time: -239742s >= -30000s
        Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680Thread sleep time: -239641s >= -30000s
        Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680Thread sleep time: -239500s >= -30000s
        Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680Thread sleep time: -239390s >= -30000s
        Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680Thread sleep time: -239280s >= -30000s
        Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680Thread sleep time: -239155s >= -30000s
        Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680Thread sleep time: -239047s >= -30000s
        Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680Thread sleep time: -238937s >= -30000s
        Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680Thread sleep time: -238828s >= -30000s
        Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680Thread sleep time: -238717s >= -30000s
        Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680Thread sleep time: -238250s >= -30000s
        Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680Thread sleep time: -237406s >= -30000s
        Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680Thread sleep time: -237063s >= -30000s
        Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680Thread sleep time: -236750s >= -30000s
        Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680Thread sleep time: -236422s >= -30000s
        Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680Thread sleep time: -236312s >= -30000s
        Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 5912Thread sleep time: -13835058055282155s >= -30000s
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 240000
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 239859
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 239742
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 239641
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 239500
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 239390
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 239280
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 239155
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 239047
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 238937
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 238828
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 238717
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 238250
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 237406
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 237063
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 236750
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 236422
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 236312
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\SK TAX INV.exeWindow / User API: threadDelayed 684
        Source: C:\Users\user\Desktop\SK TAX INV.exeWindow / User API: threadDelayed 1731
        Source: C:\Users\user\Desktop\SK TAX INV.exeWindow / User API: threadDelayed 2909
        Source: C:\Users\user\Desktop\SK TAX INV.exeWindow / User API: threadDelayed 6615
        Source: C:\Users\user\Desktop\SK TAX INV.exeWindow / User API: foregroundWindowGot 671
        Source: C:\Users\user\Desktop\SK TAX INV.exeWindow / User API: foregroundWindowGot 704
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 240000
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 239859
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 31962
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 239742
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 239641
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 239500
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 239390
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 239280
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 239155
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 239047
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 238937
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 238828
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 238717
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 238250
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 237406
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 237063
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 236750
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 236422
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 236312
        Source: C:\Users\user\Desktop\SK TAX INV.exeThread delayed: delay time: 922337203685477
        Source: SK TAX INV.exe, 00000000.00000002.668432779.0000000002965000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
        Source: SK TAX INV.exe, 00000000.00000002.668432779.0000000002965000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: SK TAX INV.exe, 00000000.00000002.668432779.0000000002965000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: SK TAX INV.exe, 00000003.00000003.732893418.00000000012B9000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: SK TAX INV.exe, 00000000.00000002.668432779.0000000002965000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\SK TAX INV.exeMemory allocated: page read and write | page guard
        Source: C:\Users\user\Desktop\SK TAX INV.exeProcess created: C:\Users\user\Desktop\SK TAX INV.exe C:\Users\user\Desktop\SK TAX INV.exe
        Source: C:\Users\user\Desktop\SK TAX INV.exeQueries volume information: C:\Users\user\Desktop\SK TAX INV.exe VolumeInformation
        Source: C:\Users\user\Desktop\SK TAX INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\SK TAX INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation
        Source: C:\Users\user\Desktop\SK TAX INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Users\user\Desktop\SK TAX INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Users\user\Desktop\SK TAX INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Users\user\Desktop\SK TAX INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Users\user\Desktop\SK TAX INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Users\user\Desktop\SK TAX INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Users\user\Desktop\SK TAX INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\SK TAX INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\SK TAX INV.exeQueries volume information: C:\Users\user\Desktop\SK TAX INV.exe VolumeInformation
        Source: C:\Users\user\Desktop\SK TAX INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\SK TAX INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\SK TAX INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\SK TAX INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\SK TAX INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Users\user\Desktop\SK TAX INV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\SK TAX INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 3.0.SK TAX INV.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.SK TAX INV.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.SK TAX INV.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SK TAX INV.exe.3b43e10.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.SK TAX INV.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SK TAX INV.exe.3b113f0.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.SK TAX INV.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SK TAX INV.exe.3b43e10.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SK TAX INV.exe.3b113f0.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.665589656.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.665941289.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.666335348.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.670484046.0000000003B11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: SK TAX INV.exe PID: 3980, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: SK TAX INV.exe PID: 6636, type: MEMORYSTR

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: SK TAX INV.exe, 00000000.00000002.670484046.0000000003B11000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: SK TAX INV.exe, 00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: SK TAX INV.exe, 00000003.00000003.684774036.00000000012F3000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 3.0.SK TAX INV.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.SK TAX INV.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.SK TAX INV.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SK TAX INV.exe.3b43e10.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.SK TAX INV.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SK TAX INV.exe.3b113f0.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.SK TAX INV.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SK TAX INV.exe.3b43e10.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SK TAX INV.exe.3b113f0.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.665589656.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.665941289.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.666335348.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.670484046.0000000003B11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: SK TAX INV.exe PID: 3980, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: SK TAX INV.exe PID: 6636, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection11Masquerading2OS Credential DumpingSecurity Software Discovery211Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsCommand and Scripting Interpreter2Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        SK TAX INV.exe18%VirustotalBrowse
        SK TAX INV.exe11%ReversingLabsWin32.Trojan.AgentTesla

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe18%VirustotalBrowse
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe20%ReversingLabsWin32.Trojan.AgentTesla

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        3.0.SK TAX INV.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.0.SK TAX INV.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.0.SK TAX INV.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.0.SK TAX INV.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.0.SK TAX INV.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        SourceDetectionScannerLabelLink
        dera31.ddns.net6%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        dera31.ddns.net6%VirustotalBrowse
        dera31.ddns.net0%Avira URL Cloudsafe
        195.133.18.2116%VirustotalBrowse
        195.133.18.2110%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        dera31.ddns.net
        		194.85.248.250
        		truetrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        dera31.ddns.nettrue
        • 6%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        195.133.18.211true
        • 6%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSK TAX INV.exe, 00000000.00000002.668327294.00000000028A1000.00000004.00000001.sdmp, SK TAX INV.exe, 00000000.00000002.668432779.0000000002965000.00000004.00000001.sdmpfalse
          		high

          Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public

          IPDomainCountryFlagASNASN NameMalicious
          194.85.248.250
          		dera31.ddns.netRussian Federation
          		35478DATACENTERROtrue

          General Information

          Joe Sandbox Version:34.0.0 Boulder Opal
          Analysis ID:528510
          Start date:25.11.2021
          Start time:11:55:18
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 7m 28s
          Hypervisor based Inspection enabled:false
          Report type:light
          Sample file name:SK TAX INV.exe
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:17
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@4/7@20/1
          EGA Information:Failed
          HDC Information:Failed
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Found application associated with file extension: .exe
          Warnings:
          Show All
          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
          • TCP Packets have been reduced to 100
          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
          • Excluded IPs from analysis (whitelisted): 23.211.6.115
          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
          • Report size getting too big, too many NtAllocateVirtualMemory calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          11:56:12API Interceptor1029x Sleep call for process: SK TAX INV.exe modified
          11:56:20AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          194.85.248.250CV.exeGet hashmaliciousBrowse
            INV.exeGet hashmaliciousBrowse
              CV.exeGet hashmaliciousBrowse

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                dera31.ddns.netCV.exeGet hashmaliciousBrowse
                • 194.85.248.250
                INV.exeGet hashmaliciousBrowse
                • 194.85.248.250
                CV.exeGet hashmaliciousBrowse
                • 194.85.248.250
                circular_11_17_21.exeGet hashmaliciousBrowse
                • 195.133.18.211
                Bank Report.exeGet hashmaliciousBrowse
                • 195.133.18.211
                cliff.kuhfeldt's CV.exeGet hashmaliciousBrowse
                • 195.133.18.211
                Jessica Ohnesorge'CV.exeGet hashmaliciousBrowse
                • 195.133.18.211
                Change Of Registration Form.exeGet hashmaliciousBrowse
                • 195.133.18.211
                Payment invoice.exeGet hashmaliciousBrowse
                • 195.133.18.211
                Wire Transfer Slip.exeGet hashmaliciousBrowse
                • 195.133.18.211
                Advise.exeGet hashmaliciousBrowse
                • 195.133.18.211
                Bank Report.exeGet hashmaliciousBrowse
                • 195.133.18.211
                N5HlpHINh2.exeGet hashmaliciousBrowse
                • 195.133.18.211
                BL draft.exeGet hashmaliciousBrowse
                • 195.133.18.211

                ASN

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                DATACENTERROxA7ry4Ewuk.exeGet hashmaliciousBrowse
                • 194.85.248.167
                Sales Pro forma invoice_SO0005303101427.docxGet hashmaliciousBrowse
                • 194.85.248.219
                Statement from QNB.exeGet hashmaliciousBrowse
                • 194.85.248.156
                CV.exeGet hashmaliciousBrowse
                • 194.85.248.250
                INV.exeGet hashmaliciousBrowse
                • 194.85.248.250
                CV.exeGet hashmaliciousBrowse
                • 194.85.248.250
                TMR590241368.exeGet hashmaliciousBrowse
                • 194.85.248.115
                vIyyHkRXJnGet hashmaliciousBrowse
                • 194.85.250.154
                267A80yAhpGet hashmaliciousBrowse
                • 194.85.250.154
                QJYxAALd23Get hashmaliciousBrowse
                • 194.85.250.154
                z4bJfjXDDQGet hashmaliciousBrowse
                • 194.85.250.154
                XXaLHoecGpGet hashmaliciousBrowse
                • 194.85.250.154
                AGiCic4uDzGet hashmaliciousBrowse
                • 194.85.250.154
                3B3BMxYG8nGet hashmaliciousBrowse
                • 194.85.250.154
                6WMo1OYmk3Get hashmaliciousBrowse
                • 194.85.250.154
                dycuTng5W8Get hashmaliciousBrowse
                • 194.85.250.154
                xINX4f5M8sGet hashmaliciousBrowse
                • 194.85.250.154
                SSIuSyaBAFGet hashmaliciousBrowse
                • 194.85.250.154
                IMG600094173852.exeGet hashmaliciousBrowse
                • 194.85.248.115
                cdQc14SeRuGet hashmaliciousBrowse
                • 194.85.248.128

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                Process:C:\Users\user\Desktop\SK TAX INV.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):493568
                Entropy (8bit):7.8676652949902195
                Encrypted:false
                SSDEEP:12288:D1UFM0gixBFm0Ud7zqdz66fMPZl2t4v0f1zo0naysDDayUyhD2:D18M0gi1Kd73LD2tp3HwDRUyhD
                MD5:C2EE32F9D7DE6B05472CEDA926FD0A6F
                SHA1:D4455AC7EC0C49769B645E7471989BD7EE29F6FC
                SHA-256:84B9FEF1F2C0DD3E8F8DC93CF6574D30E2C6E5BC819599FEA60C71876DF0278D
                SHA-512:7BD853A9B3B14FEDC2CB4F14859E2A38F4AB38A6A6AAA5EA2C44BAB5D0EDF488F3BD422E8DA61DD74429E4508C09C8D0349E4995E0C8900F57E4FCD90B8004D3
                Malicious:true
                Antivirus:
                • Antivirus: Virustotal, Detection: 18%, Browse
                • Antivirus: ReversingLabs, Detection: 20%
                Reputation:low
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...dE.a..............0..~.............. ........@.. ....................................@.................................p...O.................................................................................... ............... ..H............text....|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B........................H........e..Xv..............p.............................................{ ...*..{!...*..{"...*..{#...*..($.....} .....}!.....}"......}#...*....0..s........u........f.,`(%....{ ....{ ...o&...,H('....{!....{!...o(...,0()....{"....{"...o*...,.(+....{#....{#...o,...+..+..*..0..b....... .@d )UU.Z(%....{ ...o-...X )UU.Z('....{!...o....X )UU.Z()....{"...o/...X )UU.Z(+....{#...o0...X*...0...........r...p......%..{ ......%q.........-.&.+.......o1....%..{!......%q.........-.&.+.....
                C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                Process:C:\Users\user\Desktop\SK TAX INV.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):26
                Entropy (8bit):3.95006375643621
                Encrypted:false
                SSDEEP:3:ggPYV:rPYV
                MD5:187F488E27DB4AF347237FE461A079AD
                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                Malicious:false
                Reputation:high, very likely benign file
                Preview: [ZoneTransfer]....ZoneId=0
                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SK TAX INV.exe.log
                Process:C:\Users\user\Desktop\SK TAX INV.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):2239
                Entropy (8bit):5.354287817410997
                Encrypted:false
                SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIW7HKjntHoxHhAHKzvr1qHXHK2HKgmHKovjHKs:iqXeqm00YqhQnouRqjntIxHeqzTw3q2W
                MD5:913D1EEA179415C6D08FB255AE42B99D
                SHA1:E994C612C0596994AAE55FBCE35B7A4FBE312FD7
                SHA-256:473B4000084ACF4C7D701CE72EBF71BD304054231B3BDF7CAF49898A1FDA13D0
                SHA-512:768045C288CEEE8FE1A099FC8CEA713B685F6ED3FD8BFA1C8E64CA09F7AF9FEBEA90F5277B28444AFF8F2AC7CD857DFCDF7D3A98CD86288925DB7A4A42346185
                Malicious:true
                Reputation:moderate, very likely benign file
                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                Process:C:\Users\user\Desktop\SK TAX INV.exe
                File Type:data
                Category:dropped
                Size (bytes):232
                Entropy (8bit):7.117516745217376
                Encrypted:false
                SSDEEP:6:X4LDAnybgCFcpJSQwP4d7V9Nhyleajl0fuONKcpMe5i:X4LEnybgCFCtvd7V9NYRj+GONKaMv
                MD5:CF55DF705B79F961ED069D8E84D2AF1C
                SHA1:574CDF36753CF356A25872BCCAA3CC6FFCD5D23F
                SHA-256:DF982E10764D21FCB1469EB6EA1175AC69544C68900B0DD8C79A0FE8A8F300F5
                SHA-512:518A037DF1D6FBC8A296DA5B96B67E073FB1F674090AFE3243E52A65B169DE35FC041C2C05F7EEF9EC74A0100A422E53B3D7D920E5ADF6CE42B82FE94244F5DE
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL...Q.F...@.h.......y.[....e..<..n....B...PP...azZ).~..Uj.>..H.b.O..AX.E.S&.O.k.3O'.Lge...$..teI....Hw.CT.].Z.
                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                Process:C:\Users\user\Desktop\SK TAX INV.exe
                File Type:data
                Category:dropped
                Size (bytes):8
                Entropy (8bit):3.0
                Encrypted:false
                SSDEEP:3:Moqn:Moq
                MD5:91513139ABA0F3219DD4AA39A2E0A8A1
                SHA1:F5DBA8D934ECEA79560BCF4FD578CFA1E90CD872
                SHA-256:F3708BADFB95D6F51D0611DA1DEDDD44676D73D5075C2E358F843C0AC6AA4FEB
                SHA-512:BB0CDA8E32B96AA07E5365C7AA0416F256ADA772D8C02BF70611007603895E2248034984696E6B579314B7F0EBCA8674AAB58F52B2370B4923868EB34B68AB96
                Malicious:true
                Reputation:low
                Preview: ^..4...H
                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                Process:C:\Users\user\Desktop\SK TAX INV.exe
                File Type:data
                Category:modified
                Size (bytes):40
                Entropy (8bit):5.153055907333276
                Encrypted:false
                SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                MD5:4E5E92E2369688041CC82EF9650EDED2
                SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                Process:C:\Users\user\Desktop\SK TAX INV.exe
                File Type:data
                Category:dropped
                Size (bytes):315080
                Entropy (8bit):7.999403263872478
                Encrypted:true
                SSDEEP:6144:m8aeVE5MlgWfxwY/8uvJYRDMVpXUhXQrEBPgzC2D4Toqhs22DJM+iaPnW:mfwiMdxwYEYyWzw0TqC2kM+lnW
                MD5:981C80683A41E2D9DD9C297DAA691C54
                SHA1:7A1F5DDFFB3E630FE19E19F6AA923427DE72217B
                SHA-256:6C67B680BB9CF41F30C37D791D9EE52582977C1D9D5696FEAE1613FC0C5E2DBE
                SHA-512:72E4198AE2A65B7E1698925DF537CBA63A2877677C7C8FEA475E52B99E631272CFBEDCD5A4E1949EB7F8073C01229E89CCCD1ABBFD8832533346A6568750ADAE
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview: ..f# ....)1\*.....5....;.T..u.. .3.Xd... ....u(..._.V.{L..Y.8....~...S79.f0V...=.}...SJg|.lh.J..^Ge.........3h?n..:..r....,o."a.I....\..0Z.D..........^....[..f.I....@/_..".5+...I...J`./s..p-.....c..?...*.. .&.....>.Ye$=.pG.....9D...'7.w.a.[3.d.-..V..]..B.b.zA?..M..3...%A....K5@.. j.U.h.B....'...0."..u.V...d..c,r"..@9.9.>..cDgP~d9..St...{..24.s.'.....9.D..P4.....I...G..G5......u.-2...z1[.....C..n.6.!..'.%@&.l4..P..rc+vq..C5B.b*..j.W,..T..z......)BX4...>A.*~#..A....8..B....5....w....GC..........y......7...?.T.....!.....7A.........C.3......A.....hC..5'..42..zS.*2.m7....A.'/.R..X....}e...>........}...n.A...4..?.P.l..n.0.I`...".d1.(e|..f.....i.9.#...n..+..l....Xz.q...6".Hl...+...1^pgs...%.FR.T....(...=.rHX.d.9%...?..f?.Q.yi.D9/>....V..5......q...nP'...S.Y.....pu.!..-..\..|/....V.......NX....../.8..V.0.5`m$.{b..lw.K.3-..C3...-.2.Qb.....o...6z....`H...(..o.ag.-7../F..RoI..O#.u|.U.@....$;.....s.~.M...j?...q#.l..y..M.[../.....=T.......5HX.QJ...

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):7.8676652949902195
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                • Win32 Executable (generic) a (10002005/4) 49.78%
                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                • Generic Win/DOS Executable (2004/3) 0.01%
                • DOS Executable Generic (2002/1) 0.01%
                File name:SK TAX INV.exe
                File size:493568
                MD5:c2ee32f9d7de6b05472ceda926fd0a6f
                SHA1:d4455ac7ec0c49769b645e7471989bd7ee29f6fc
                SHA256:84b9fef1f2c0dd3e8f8dc93cf6574d30e2c6e5bc819599fea60c71876df0278d
                SHA512:7bd853a9b3b14fedc2cb4f14859e2a38f4ab38a6a6aaa5ea2c44bab5d0edf488f3bd422e8da61dd74429e4508c09c8d0349e4995e0c8900f57e4fcd90b8004d3
                SSDEEP:12288:D1UFM0gixBFm0Ud7zqdz66fMPZl2t4v0f1zo0naysDDayUyhD2:D18M0gi1Kd73LD2tp3HwDRUyhD
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...dE.a..............0..~............... ........@.. ....................................@................................

                File Icon

                Icon Hash:00828e8e8686b000

                Static PE Info

                General

                Entrypoint:0x479cc2
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Time Stamp:0x619F4564 [Thu Nov 25 08:12:20 2021 UTC]
                TLS Callbacks:
                CLR (.Net) Version:v4.0.30319
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                Entrypoint Preview

                Instruction
                jmp dword ptr [00402000h]
                add byte ptr [eax], al
                add byte ptr [ebp+0800000Eh], ch
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x79c700x4f.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x7a0000x5ec.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x7c0000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000x77cd80x77e00False0.894757315563data7.87847086948IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                .rsrc0x7a0000x5ec0x600False0.438151041667data4.21773046757IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0x7c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountry
                RT_VERSION0x7a0900x35cdata
                RT_MANIFEST0x7a3fc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                Imports

                DLLImport
                mscoree.dll_CorExeMain

                Version Infos

                DescriptionData
                Translation0x0000 0x04b0
                LegalCopyrightCopyright Rogers Peet
                Assembly Version8.0.6.0
                InternalNameTypeLibTypeAttribu.exe
                FileVersion5.6.0.0
                CompanyNameRogers Peet
                LegalTrademarks
                Comments
                ProductNameBiblan
                ProductVersion5.6.0.0
                FileDescriptionBiblan
                OriginalFilenameTypeLibTypeAttribu.exe

                Network Behavior

                Snort IDS Alerts

                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                11/25/21-11:56:19.002612UDP254DNS SPOOF query response with TTL of 1 min. and no authority53497148.8.8.8192.168.2.4
                11/25/21-11:56:19.127979TCP2025019ET TROJAN Possible NanoCore C2 60B497771187192.168.2.4194.85.248.250
                11/25/21-11:56:23.493869UDP254DNS SPOOF query response with TTL of 1 min. and no authority53580288.8.8.8192.168.2.4
                11/25/21-11:56:23.526666TCP2025019ET TROJAN Possible NanoCore C2 60B497781187192.168.2.4194.85.248.250
                11/25/21-11:56:31.344296UDP254DNS SPOOF query response with TTL of 1 min. and no authority53530978.8.8.8192.168.2.4
                11/25/21-11:56:31.408131TCP2025019ET TROJAN Possible NanoCore C2 60B497791187192.168.2.4194.85.248.250
                11/25/21-11:56:37.956129UDP254DNS SPOOF query response with TTL of 1 min. and no authority53492578.8.8.8192.168.2.4
                11/25/21-11:56:38.014996TCP2025019ET TROJAN Possible NanoCore C2 60B497801187192.168.2.4194.85.248.250
                11/25/21-11:56:43.972123TCP2025019ET TROJAN Possible NanoCore C2 60B497831187192.168.2.4194.85.248.250
                11/25/21-11:56:51.220530TCP2025019ET TROJAN Possible NanoCore C2 60B497841187192.168.2.4194.85.248.250
                11/25/21-11:56:57.214815TCP2025019ET TROJAN Possible NanoCore C2 60B497851187192.168.2.4194.85.248.250
                11/25/21-11:57:03.772463TCP2025019ET TROJAN Possible NanoCore C2 60B497931187192.168.2.4194.85.248.250
                11/25/21-11:57:10.856473TCP2025019ET TROJAN Possible NanoCore C2 60B498211187192.168.2.4194.85.248.250
                11/25/21-11:57:17.160697UDP254DNS SPOOF query response with TTL of 1 min. and no authority53512558.8.8.8192.168.2.4
                11/25/21-11:57:17.190251TCP2025019ET TROJAN Possible NanoCore C2 60B498241187192.168.2.4194.85.248.250
                11/25/21-11:57:22.257795UDP254DNS SPOOF query response with TTL of 1 min. and no authority53523378.8.8.8192.168.2.4
                11/25/21-11:57:22.287984TCP2025019ET TROJAN Possible NanoCore C2 60B498291187192.168.2.4194.85.248.250
                11/25/21-11:57:29.921734UDP254DNS SPOOF query response with TTL of 1 min. and no authority53550468.8.8.8192.168.2.4
                11/25/21-11:57:29.951099TCP2025019ET TROJAN Possible NanoCore C2 60B498311187192.168.2.4194.85.248.250
                11/25/21-11:57:36.010921TCP2025019ET TROJAN Possible NanoCore C2 60B498531187192.168.2.4194.85.248.250
                11/25/21-11:57:42.243149UDP254DNS SPOOF query response with TTL of 1 min. and no authority53492858.8.8.8192.168.2.4
                11/25/21-11:57:42.274632TCP2025019ET TROJAN Possible NanoCore C2 60B498561187192.168.2.4194.85.248.250
                11/25/21-11:57:48.301653UDP254DNS SPOOF query response with TTL of 1 min. and no authority53506018.8.8.8192.168.2.4
                11/25/21-11:57:48.330829TCP2025019ET TROJAN Possible NanoCore C2 60B498571187192.168.2.4194.85.248.250
                11/25/21-11:57:53.343018TCP2025019ET TROJAN Possible NanoCore C2 60B498591187192.168.2.4194.85.248.250
                11/25/21-11:57:59.367307UDP254DNS SPOOF query response with TTL of 1 min. and no authority53624208.8.8.8192.168.2.4
                11/25/21-11:57:59.485426TCP2025019ET TROJAN Possible NanoCore C2 60B498631187192.168.2.4194.85.248.250
                11/25/21-11:58:06.648552TCP2025019ET TROJAN Possible NanoCore C2 60B498641187192.168.2.4194.85.248.250
                11/25/21-11:58:11.655619TCP2025019ET TROJAN Possible NanoCore C2 60B498651187192.168.2.4194.85.248.250
                11/25/21-11:58:17.612799TCP2025019ET TROJAN Possible NanoCore C2 60B498661187192.168.2.4194.85.248.250

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Nov 25, 2021 11:56:19.011879921 CET497771187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:19.039516926 CET118749777194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:19.041583061 CET497771187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:19.127979040 CET497771187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:19.188199997 CET118749777194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:19.197592020 CET497771187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:19.225462914 CET118749777194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:19.276729107 CET497771187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:19.305382967 CET118749777194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:19.354899883 CET497771187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:19.405925035 CET497771187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:23.496416092 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:23.525118113 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:23.525358915 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:23.526665926 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:23.608026981 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:23.630558014 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:23.631059885 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:23.661622047 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:23.714677095 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:23.850044012 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:23.930211067 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.080091000 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.080143929 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.080183983 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.080221891 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.080296040 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:24.080348969 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:24.116147041 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.116200924 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.116239071 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.116276979 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.116314888 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.116314888 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:24.116349936 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:24.116355896 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.116396904 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.116406918 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:24.116437912 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.116478920 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:24.144262075 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.144313097 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.144352913 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.144392014 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.144429922 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.144445896 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:24.144468069 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.144478083 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:24.144507885 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.144511938 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:24.144545078 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.144583941 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.144598961 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:24.144622087 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.144660950 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.144675016 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:24.144701004 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.144737959 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.144752026 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:24.144776106 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.144815922 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.144829035 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:24.144882917 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.144934893 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:24.175323963 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.175379038 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.175420046 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.175461054 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.175501108 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.175501108 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:24.175539017 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.175540924 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:24.175581932 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.175609112 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:24.175636053 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.175677061 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.175685883 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:24.175718069 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.175754070 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.175766945 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:24.175792933 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.175832033 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.175839901 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:24.175868988 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.175910950 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.175920010 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:24.175955057 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.175993919 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.176008940 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:24.176033974 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.176069975 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.176085949 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:24.176109076 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.176146984 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.176156044 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:24.176186085 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.176223993 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.176238060 CET497781187192.168.2.4194.85.248.250
                Nov 25, 2021 11:56:24.176263094 CET118749778194.85.248.250192.168.2.4
                Nov 25, 2021 11:56:24.176301956 CET118749778194.85.248.250192.168.2.4

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Nov 25, 2021 11:56:18.956589937 CET4971453192.168.2.48.8.8.8
                Nov 25, 2021 11:56:19.002612114 CET53497148.8.8.8192.168.2.4
                Nov 25, 2021 11:56:23.464132071 CET5802853192.168.2.48.8.8.8
                Nov 25, 2021 11:56:23.493869066 CET53580288.8.8.8192.168.2.4
                Nov 25, 2021 11:56:31.314296007 CET5309753192.168.2.48.8.8.8
                Nov 25, 2021 11:56:31.344295979 CET53530978.8.8.8192.168.2.4
                Nov 25, 2021 11:56:37.910442114 CET4925753192.168.2.48.8.8.8
                Nov 25, 2021 11:56:37.956129074 CET53492578.8.8.8192.168.2.4
                Nov 25, 2021 11:56:43.899588108 CET4991053192.168.2.48.8.8.8
                Nov 25, 2021 11:56:43.937406063 CET53499108.8.8.8192.168.2.4
                Nov 25, 2021 11:56:51.154023886 CET5585453192.168.2.48.8.8.8
                Nov 25, 2021 11:56:51.191472054 CET53558548.8.8.8192.168.2.4
                Nov 25, 2021 11:56:57.167371988 CET6454953192.168.2.48.8.8.8
                Nov 25, 2021 11:56:57.183079004 CET53645498.8.8.8192.168.2.4
                Nov 25, 2021 11:57:03.236888885 CET5662753192.168.2.48.8.8.8
                Nov 25, 2021 11:57:03.274627924 CET53566278.8.8.8192.168.2.4
                Nov 25, 2021 11:57:10.784302950 CET6172153192.168.2.48.8.8.8
                Nov 25, 2021 11:57:10.822038889 CET53617218.8.8.8192.168.2.4
                Nov 25, 2021 11:57:17.130686998 CET5125553192.168.2.48.8.8.8
                Nov 25, 2021 11:57:17.160696983 CET53512558.8.8.8192.168.2.4
                Nov 25, 2021 11:57:22.228977919 CET5233753192.168.2.48.8.8.8
                Nov 25, 2021 11:57:22.257795095 CET53523378.8.8.8192.168.2.4
                Nov 25, 2021 11:57:29.875340939 CET5504653192.168.2.48.8.8.8
                Nov 25, 2021 11:57:29.921734095 CET53550468.8.8.8192.168.2.4
                Nov 25, 2021 11:57:35.943232059 CET4961253192.168.2.48.8.8.8
                Nov 25, 2021 11:57:35.980635881 CET53496128.8.8.8192.168.2.4
                Nov 25, 2021 11:57:42.213505030 CET4928553192.168.2.48.8.8.8
                Nov 25, 2021 11:57:42.243149042 CET53492858.8.8.8192.168.2.4
                Nov 25, 2021 11:57:48.256104946 CET5060153192.168.2.48.8.8.8
                Nov 25, 2021 11:57:48.301652908 CET53506018.8.8.8192.168.2.4
                Nov 25, 2021 11:57:53.275501013 CET5644853192.168.2.48.8.8.8
                Nov 25, 2021 11:57:53.313308001 CET53564488.8.8.8192.168.2.4
                Nov 25, 2021 11:57:59.320873022 CET6242053192.168.2.48.8.8.8
                Nov 25, 2021 11:57:59.367306948 CET53624208.8.8.8192.168.2.4
                Nov 25, 2021 11:58:06.567533970 CET6057953192.168.2.48.8.8.8
                Nov 25, 2021 11:58:06.605303049 CET53605798.8.8.8192.168.2.4
                Nov 25, 2021 11:58:11.587215900 CET5018353192.168.2.48.8.8.8
                Nov 25, 2021 11:58:11.625068903 CET53501838.8.8.8192.168.2.4
                Nov 25, 2021 11:58:17.558532953 CET6153153192.168.2.48.8.8.8
                Nov 25, 2021 11:58:17.579953909 CET53615318.8.8.8192.168.2.4

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                Nov 25, 2021 11:56:18.956589937 CET192.168.2.48.8.8.80xaff9Standard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                Nov 25, 2021 11:56:23.464132071 CET192.168.2.48.8.8.80x2005Standard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                Nov 25, 2021 11:56:31.314296007 CET192.168.2.48.8.8.80xa309Standard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                Nov 25, 2021 11:56:37.910442114 CET192.168.2.48.8.8.80xf45dStandard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                Nov 25, 2021 11:56:43.899588108 CET192.168.2.48.8.8.80x24cStandard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                Nov 25, 2021 11:56:51.154023886 CET192.168.2.48.8.8.80x81cfStandard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                Nov 25, 2021 11:56:57.167371988 CET192.168.2.48.8.8.80xbdfbStandard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                Nov 25, 2021 11:57:03.236888885 CET192.168.2.48.8.8.80x5506Standard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                Nov 25, 2021 11:57:10.784302950 CET192.168.2.48.8.8.80xcbdStandard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                Nov 25, 2021 11:57:17.130686998 CET192.168.2.48.8.8.80xecb1Standard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                Nov 25, 2021 11:57:22.228977919 CET192.168.2.48.8.8.80x62f4Standard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                Nov 25, 2021 11:57:29.875340939 CET192.168.2.48.8.8.80x121aStandard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                Nov 25, 2021 11:57:35.943232059 CET192.168.2.48.8.8.80xe785Standard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                Nov 25, 2021 11:57:42.213505030 CET192.168.2.48.8.8.80x5911Standard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                Nov 25, 2021 11:57:48.256104946 CET192.168.2.48.8.8.80x8df6Standard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                Nov 25, 2021 11:57:53.275501013 CET192.168.2.48.8.8.80x520dStandard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                Nov 25, 2021 11:57:59.320873022 CET192.168.2.48.8.8.80x83cStandard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                Nov 25, 2021 11:58:06.567533970 CET192.168.2.48.8.8.80xc148Standard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                Nov 25, 2021 11:58:11.587215900 CET192.168.2.48.8.8.80x5e4Standard query (0)dera31.ddns.netA (IP address)IN (0x0001)
                Nov 25, 2021 11:58:17.558532953 CET192.168.2.48.8.8.80x2196Standard query (0)dera31.ddns.netA (IP address)IN (0x0001)

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                Nov 25, 2021 11:56:19.002612114 CET8.8.8.8192.168.2.40xaff9No error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                Nov 25, 2021 11:56:23.493869066 CET8.8.8.8192.168.2.40x2005No error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                Nov 25, 2021 11:56:31.344295979 CET8.8.8.8192.168.2.40xa309No error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                Nov 25, 2021 11:56:37.956129074 CET8.8.8.8192.168.2.40xf45dNo error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                Nov 25, 2021 11:56:43.937406063 CET8.8.8.8192.168.2.40x24cNo error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                Nov 25, 2021 11:56:51.191472054 CET8.8.8.8192.168.2.40x81cfNo error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                Nov 25, 2021 11:56:57.183079004 CET8.8.8.8192.168.2.40xbdfbNo error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                Nov 25, 2021 11:57:03.274627924 CET8.8.8.8192.168.2.40x5506No error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                Nov 25, 2021 11:57:10.822038889 CET8.8.8.8192.168.2.40xcbdNo error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                Nov 25, 2021 11:57:17.160696983 CET8.8.8.8192.168.2.40xecb1No error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                Nov 25, 2021 11:57:22.257795095 CET8.8.8.8192.168.2.40x62f4No error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                Nov 25, 2021 11:57:29.921734095 CET8.8.8.8192.168.2.40x121aNo error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                Nov 25, 2021 11:57:35.980635881 CET8.8.8.8192.168.2.40xe785No error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                Nov 25, 2021 11:57:42.243149042 CET8.8.8.8192.168.2.40x5911No error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                Nov 25, 2021 11:57:48.301652908 CET8.8.8.8192.168.2.40x8df6No error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                Nov 25, 2021 11:57:53.313308001 CET8.8.8.8192.168.2.40x520dNo error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                Nov 25, 2021 11:57:59.367306948 CET8.8.8.8192.168.2.40x83cNo error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                Nov 25, 2021 11:58:06.605303049 CET8.8.8.8192.168.2.40xc148No error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                Nov 25, 2021 11:58:11.625068903 CET8.8.8.8192.168.2.40x5e4No error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)
                Nov 25, 2021 11:58:17.579953909 CET8.8.8.8192.168.2.40x2196No error (0)dera31.ddns.net194.85.248.250A (IP address)IN (0x0001)

                Code Manipulations

                Statistics

                Behavior

                Click to jump to process

                System Behavior

                Analysis Process: SK TAX INV.exe PID: 3980 Parent PID: 5296

                General

                Start time:11:56:10
                Start date:25/11/2021
                Path:C:\Users\user\Desktop\SK TAX INV.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\SK TAX INV.exe"
                Imagebase:0x420000
                File size:493568 bytes
                MD5 hash:C2EE32F9D7DE6B05472CEDA926FD0A6F
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.668327294.00000000028A1000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.670484046.0000000003B11000.00000004.00000001.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.670484046.0000000003B11000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.670484046.0000000003B11000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.668432779.0000000002965000.00000004.00000001.sdmp, Author: Joe Security
                Reputation:low

                Analysis Process: SK TAX INV.exe PID: 6636 Parent PID: 3980

                General

                Start time:11:56:13
                Start date:25/11/2021
                Path:C:\Users\user\Desktop\SK TAX INV.exe
                Wow64 process (32bit):true
                Commandline:C:\Users\user\Desktop\SK TAX INV.exe
                Imagebase:0xb10000
                File size:493568 bytes
                MD5 hash:C2EE32F9D7DE6B05472CEDA926FD0A6F
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.665589656.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.665589656.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.665589656.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.665941289.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.665941289.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.665941289.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.666335348.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.666335348.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.666335348.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                Reputation:low

                Analysis Process: dhcpmon.exe PID: 6980 Parent PID: 3424

                General

                Start time:11:56:28
                Start date:25/11/2021
                Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                Wow64 process (32bit):true
                Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                Imagebase:0x360000
                File size:493568 bytes
                MD5 hash:C2EE32F9D7DE6B05472CEDA926FD0A6F
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Antivirus matches:
                • Detection: 18%, Virustotal, Browse
                • Detection: 20%, ReversingLabs
                Reputation:low

                Disassembly

                Code Analysis

                Reset < >