Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:880637
MD5:8d93c7903bfd5900d72dbeb3b0968508
SHA1:fad787dd1ebae5cc64aaf7762dd6f49de50adfa7
SHA256:685522dda736e8c071fcc9dc4b7bb3d58c45f36828eb0b8ca8557e5ec56499ad
Tags:NETexeMSILx64zgRAT
Infos:

Detection

Nanocore, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected zgRAT
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected Nanocore RAT
Writes to foreign memory regions
.NET source code references suspicious native API functions
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5540 cmdline: C:\Users\user\Desktop\file.exe MD5: 8D93C7903BFD5900D72DBEB3B0968508)
    • CasPol.exe (PID: 5688 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
    • CasPol.exe (PID: 6688 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
    • CasPol.exe (PID: 6672 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
    • CasPol.exe (PID: 6636 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
  • dhcpmon.exe (PID: 7020 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: F866FC1C2E928779C7119353C3091F0C)
    • conhost.exe (PID: 5172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Nanocore RAT, NanoCoreNanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.
  • APT33
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore
NameDescriptionAttributionBlogpost URLsLink
zgRATNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "954449b5-566c-46fe-92f0-8eb82a7f", "Group": "Cashout", "Domain1": "ezemnia3.ddns.net", "Domain2": "91.193.75.178", "Port": 62335, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    file.exeMALWARE_Win_zgRATDetects zgRATditekSHen
    • 0x1011f:$s1: file:///
    • 0x1002d:$s2: {11111-22222-10009-11112}
    • 0x100af:$s3: {11111-22222-50001-00000}
    • 0xf54d:$s4: get_Module
    • 0xbf35:$s5: Reverse
    • 0xe4d6:$s6: BlockCopy
    • 0xc27b:$s7: ReadByte
    • 0x10131:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x2f0d:$a: NanoCore
      • 0x2f66:$a: NanoCore
      • 0x2fa3:$a: NanoCore
      • 0x301c:$a: NanoCore
      • 0x166c7:$a: NanoCore
      • 0x166dc:$a: NanoCore
      • 0x16711:$a: NanoCore
      • 0x2f18b:$a: NanoCore
      • 0x2f1a0:$a: NanoCore
      • 0x2f1d5:$a: NanoCore
      • 0x2f6f:$b: ClientPlugin
      • 0x2fac:$b: ClientPlugin
      • 0x38aa:$b: ClientPlugin
      • 0x38b7:$b: ClientPlugin
      • 0x16483:$b: ClientPlugin
      • 0x1649e:$b: ClientPlugin
      • 0x164ce:$b: ClientPlugin
      • 0x166e5:$b: ClientPlugin
      • 0x1671a:$b: ClientPlugin
      • 0x2ef47:$b: ClientPlugin
      • 0x2ef62:$b: ClientPlugin
      00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
      • 0x2fa3:$a1: NanoCore.ClientPluginHost
      • 0x16711:$a1: NanoCore.ClientPluginHost
      • 0x2f1d5:$a1: NanoCore.ClientPluginHost
      • 0x2f66:$a2: NanoCore.ClientPlugin
      • 0x166dc:$a2: NanoCore.ClientPlugin
      • 0x2f1a0:$a2: NanoCore.ClientPlugin
      • 0x333a:$b1: get_BuilderSettings
      • 0x1b657:$b1: get_BuilderSettings
      • 0x3411b:$b1: get_BuilderSettings
      • 0x2ff1:$b4: IClientAppHost
      • 0x33ab:$b6: AddHostEntry
      • 0x341a:$b7: LogClientException
      • 0x1b5c6:$b7: LogClientException
      • 0x3408a:$b7: LogClientException
      • 0x338f:$b8: PipeExists
      • 0x2fde:$b9: IClientLoggingHost
      • 0x1672b:$b9: IClientLoggingHost
      • 0x2f1ef:$b9: IClientLoggingHost
      00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.CasPol.exe.5d90000.7.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
      • 0xf7ad:$x1: NanoCore.ClientPluginHost
      • 0xf7da:$x2: IClientNetworkHost
      6.2.CasPol.exe.5d90000.7.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
      • 0xf7ad:$x2: NanoCore.ClientPluginHost
      • 0x10888:$s4: PipeCreated
      • 0xf7c7:$s5: IClientLoggingHost
      6.2.CasPol.exe.5d90000.7.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        6.2.CasPol.exe.5d90000.7.raw.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
        • 0xf778:$x2: NanoCore.ClientPlugin
        • 0xf7ad:$x3: NanoCore.ClientPluginHost
        • 0xf76c:$i2: IClientData
        • 0xf78e:$i3: IClientNetwork
        • 0xf79d:$i5: IClientDataHost
        • 0xf7c7:$i6: IClientLoggingHost
        • 0xf7da:$i7: IClientNetworkHost
        • 0xf7ed:$i8: IClientUIHost
        • 0xf7fb:$i9: IClientNameObjectCollection
        • 0xf817:$i10: IClientReadOnlyNameObjectCollection
        • 0xf56a:$s1: ClientPlugin
        • 0xf781:$s1: ClientPlugin
        • 0x147a2:$s6: get_ClientSettings
        6.2.CasPol.exe.5d90000.7.raw.unpackWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
        • 0xf7ad:$a1: NanoCore.ClientPluginHost
        • 0xf778:$a2: NanoCore.ClientPlugin
        • 0x146f3:$b1: get_BuilderSettings
        • 0x14662:$b7: LogClientException
        • 0xf7c7:$b9: IClientLoggingHost
        Click to see the 61 entries

        Sigma Signatures

        AV Detection

        barindex
        Sigma detected: NanoCore
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 6636, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud

        barindex
        Sigma detected: NanoCore
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 6636, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Stealing of Sensitive Information

        barindex
        Sigma detected: NanoCore
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 6636, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality

        barindex
        Sigma detected: NanoCore
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 6636, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Found malware configuration
        Source: 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "954449b5-566c-46fe-92f0-8eb82a7f", "Group": "Cashout", "Domain1": "ezemnia3.ddns.net", "Domain2": "91.193.75.178", "Port": 62335, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
        Multi AV Scanner detection for submitted file
        Source: file.exeReversingLabs: Detection: 43%
        Source: file.exeVirustotal: Detection: 38%Perma Link
        Antivirus / Scanner detection for submitted sample
        Source: file.exeAvira: detected
        Antivirus detection for URL or domain
        Source: ezemnia3.ddns.netAvira URL Cloud: Label: malware
        Source: 91.193.75.178Avira URL Cloud: Label: malware
        Multi AV Scanner detection for domain / URL
        Source: ezemnia3.ddns.netVirustotal: Detection: 6%Perma Link
        Source: ezemnia3.ddns.netVirustotal: Detection: 6%Perma Link
        Source: 91.193.75.178Virustotal: Detection: 13%Perma Link
        Yara detected Nanocore RAT
        Source: Yara matchFile source: 6.2.CasPol.exe.5d90000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f2ff64.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f2b12e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f2ff64.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.5d94629.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.5d90000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.145d4f40110.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f3458d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.145d4f40110.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: file.exe PID: 5540, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6636, type: MEMORYSTR
        Machine Learning detection for sample
        Source: file.exeJoe Sandbox ML: detected
        Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: CEMENT.pdb source: file.exe, 00000000.00000002.549229090.00000145C19F0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.549352152.00000145C327A000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: NNnBbBb88837363.pdb source: file.exe
        Source: Binary string: caspol.pdbdv source: CasPol.exe, 00000006.00000003.550917074.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, dhcpmon.exe, 00000007.00000000.571315354.0000000000A22000.00000002.00000001.01000000.00000007.sdmp, dhcpmon.exe.6.dr
        Source: Binary string: b77a5c561934e089\mscorlib.pdb source: CasPol.exe, 00000006.00000002.804277570.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: caspol.pdb source: CasPol.exe, 00000006.00000003.550917074.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, dhcpmon.exe, 00000007.00000000.571315354.0000000000A22000.00000002.00000001.01000000.00000007.sdmp, dhcpmon.exe.6.dr

        Networking

        barindex
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: ezemnia3.ddns.net
        Source: Malware configuration extractorURLs: 91.193.75.178
        Uses dynamic DNS services
        Source: unknownDNS query: name: ezemnia3.ddns.net
        Source: Joe Sandbox ViewASN Name: VCG-ASNG VCG-ASNG
        Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
        Source: global trafficTCP traffic: 192.168.2.4:49695 -> 197.210.227.232:62335
        Source: global trafficTCP traffic: 192.168.2.4:49701 -> 91.193.75.178:62335
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
        Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
        Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
        Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
        Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
        Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
        Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
        Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
        Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
        Source: file.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
        Source: file.exeString found in binary or memory: http://ocsp.digicert.com0
        Source: file.exeString found in binary or memory: http://ocsp.digicert.com0A
        Source: file.exeString found in binary or memory: http://ocsp.digicert.com0C
        Source: file.exeString found in binary or memory: http://ocsp.digicert.com0X
        Source: file.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
        Source: file.exeString found in binary or memory: http://s.symcd.com06
        Source: CasPol.exe, 00000006.00000002.805344954.0000000002F37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: file.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
        Source: file.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
        Source: file.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
        Source: file.exeString found in binary or memory: http://www.digicert.com/CPS0
        Source: file.exeString found in binary or memory: https://d.symcb.com/cps0%
        Source: file.exeString found in binary or memory: https://d.symcb.com/rpa0
        Source: file.exeString found in binary or memory: https://d.symcb.com/rpa0.
        Source: unknownDNS traffic detected: queries for: ezemnia3.ddns.net
        Source: CasPol.exe, 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud

        barindex
        Yara detected Nanocore RAT
        Source: Yara matchFile source: 6.2.CasPol.exe.5d90000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f2ff64.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f2b12e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f2ff64.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.5d94629.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.5d90000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.145d4f40110.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f3458d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.145d4f40110.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: file.exe PID: 5540, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6636, type: MEMORYSTR

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: file.exe, type: SAMPLEMatched rule: Detects zgRAT Author: ditekSHen
        Source: 6.2.CasPol.exe.5d90000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 6.2.CasPol.exe.5d90000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.2.CasPol.exe.5d90000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 6.2.CasPol.exe.3f2ff64.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 6.2.CasPol.exe.3f2ff64.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.2.CasPol.exe.3f2ff64.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 6.2.CasPol.exe.51f0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 6.2.CasPol.exe.51f0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.2.CasPol.exe.51f0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 6.2.CasPol.exe.3f2b12e.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 6.2.CasPol.exe.3f2b12e.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.2.CasPol.exe.3f2b12e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.CasPol.exe.3f2b12e.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 6.2.CasPol.exe.3f2ff64.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 6.2.CasPol.exe.3f2ff64.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.2.CasPol.exe.3f2ff64.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 6.2.CasPol.exe.5d94629.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 6.2.CasPol.exe.5d94629.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.2.CasPol.exe.5d94629.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 6.2.CasPol.exe.5d90000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 6.2.CasPol.exe.5d90000.7.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.2.CasPol.exe.5d90000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 0.2.file.exe.145c1610000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
        Source: 0.2.file.exe.145d4f40110.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 0.2.file.exe.145d4f40110.5.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.2.file.exe.145d4f40110.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.file.exe.145d4f40110.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 6.2.CasPol.exe.3f3458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 6.2.CasPol.exe.3f3458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.2.CasPol.exe.3f3458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 6.2.CasPol.exe.2f3e5c4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 6.2.CasPol.exe.2f3e5c4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 6.2.CasPol.exe.2f3e5c4.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 0.0.file.exe.145c1610000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
        Source: 0.2.file.exe.145d4f40110.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 0.2.file.exe.145d4f40110.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.2.file.exe.145d4f40110.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.file.exe.145d4f40110.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
        Source: 00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 00000006.00000002.805344954.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
        Source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: Process Memory Space: file.exe PID: 5540, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: Process Memory Space: file.exe PID: 5540, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: file.exe PID: 5540, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: Process Memory Space: CasPol.exe PID: 6636, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
        Source: Process Memory Space: CasPol.exe PID: 6636, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: CasPol.exe PID: 6636, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
        Source: file.exe, type: SAMPLEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
        Source: 6.2.CasPol.exe.5d90000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.5d90000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.5d90000.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.2.CasPol.exe.5d90000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 6.2.CasPol.exe.3f2ff64.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.3f2ff64.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.3f2ff64.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.2.CasPol.exe.3f2ff64.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 6.2.CasPol.exe.51f0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.51f0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.51f0000.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.2.CasPol.exe.51f0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 6.2.CasPol.exe.3f2b12e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.3f2b12e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.3f2b12e.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.2.CasPol.exe.3f2b12e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.CasPol.exe.3f2b12e.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 6.2.CasPol.exe.3f2ff64.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.3f2ff64.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.3f2ff64.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.2.CasPol.exe.3f2ff64.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 6.2.CasPol.exe.5d94629.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.5d94629.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.5d94629.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.2.CasPol.exe.5d94629.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 6.2.CasPol.exe.5d90000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.5d90000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.5d90000.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.2.CasPol.exe.5d90000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 0.2.file.exe.145c1610000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
        Source: 0.2.file.exe.145d4f40110.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.file.exe.145d4f40110.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.file.exe.145d4f40110.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.2.file.exe.145d4f40110.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.file.exe.145d4f40110.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 6.2.CasPol.exe.3f3458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.3f3458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.3f3458d.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.2.CasPol.exe.3f3458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 6.2.CasPol.exe.2f3e5c4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.2f3e5c4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.CasPol.exe.2f3e5c4.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 6.2.CasPol.exe.2f3e5c4.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 0.0.file.exe.145c1610000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
        Source: 0.2.file.exe.145d4f40110.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.file.exe.145d4f40110.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.file.exe.145d4f40110.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.2.file.exe.145d4f40110.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.file.exe.145d4f40110.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 00000006.00000002.805344954.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: Process Memory Space: file.exe PID: 5540, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: Process Memory Space: file.exe PID: 5540, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: file.exe PID: 5540, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: Process Memory Space: CasPol.exe PID: 6636, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: Process Memory Space: CasPol.exe PID: 6636, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: CasPol.exe PID: 6636, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_011DE4716_2_011DE471
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_011DE4806_2_011DE480
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_011DBBD46_2_011DBBD4
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_062700406_2_06270040
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_02C609587_2_02C60958
        Source: file.exeStatic PE information: No import functions for PE file found
        Source: file.exeBinary or memory string: OriginalFilename vs file.exe
        Source: file.exe, 00000000.00000002.549229090.00000145C19F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCEMENT.dll. vs file.exe
        Source: file.exe, 00000000.00000002.548528869.00000145C185C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
        Source: file.exe, 00000000.00000002.549352152.00000145C327A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCEMENT.dll. vs file.exe
        Source: file.exeBinary or memory string: OriginalFilenameNNnBbBb88837363.exe@ vs file.exe
        Source: file.exeStatic PE information: invalid certificate
        Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: file.exeReversingLabs: Detection: 43%
        Source: file.exeVirustotal: Detection: 38%
        Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exeJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exeJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exeJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.logJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@11/5@6/2
        Source: 7.0.dhcpmon.exe.a20000.0.unpack, Microsoft.Tools.Caspol/caspol.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 7.0.dhcpmon.exe.a20000.0.unpack, Microsoft.Tools.Caspol/caspol.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 6.2.CasPol.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 6.2.CasPol.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: dhcpmon.exe.6.dr, Microsoft.Tools.Caspol/caspol.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: dhcpmon.exe.6.dr, Microsoft.Tools.Caspol/caspol.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: file.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
        Source: C:\Users\user\Desktop\file.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{954449b5-566c-46fe-92f0-8eb82a7f77b0}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5172:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: file.exe, eIQBFj4YOoPaQh0jeI/hWJSDt1cbIHhwB8IyT.csCryptographic APIs: 'CreateDecryptor'
        Source: file.exe, eIQBFj4YOoPaQh0jeI/hWJSDt1cbIHhwB8IyT.csCryptographic APIs: 'CreateDecryptor'
        Source: 6.2.CasPol.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 6.2.CasPol.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 6.2.CasPol.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: CEMENT.pdb source: file.exe, 00000000.00000002.549229090.00000145C19F0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.549352152.00000145C327A000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: NNnBbBb88837363.pdb source: file.exe
        Source: Binary string: caspol.pdbdv source: CasPol.exe, 00000006.00000003.550917074.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, dhcpmon.exe, 00000007.00000000.571315354.0000000000A22000.00000002.00000001.01000000.00000007.sdmp, dhcpmon.exe.6.dr
        Source: Binary string: b77a5c561934e089\mscorlib.pdb source: CasPol.exe, 00000006.00000002.804277570.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: caspol.pdb source: CasPol.exe, 00000006.00000003.550917074.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, dhcpmon.exe, 00000007.00000000.571315354.0000000000A22000.00000002.00000001.01000000.00000007.sdmp, dhcpmon.exe.6.dr

        Data Obfuscation

        barindex
        .NET source code contains potential unpacker
        Source: file.exe, eL5q8HsERTwMsdrqmV/uo8s0vg8A5M29mVwMB.cs.Net Code: uo8gs0v8A System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 6.2.CasPol.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 6.2.CasPol.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        .NET source code contains method to dynamically call methods (often used by packers)
        Source: file.exe, eIQBFj4YOoPaQh0jeI/hWJSDt1cbIHhwB8IyT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF8161752A0 push ebx; retf 0_2_00007FF8161752B1
        Source: file.exeStatic PE information: real checksum: 0xd69ae should be: 0xd2b30
        Source: file.exeStatic PE information: 0xC358B1DE [Wed Nov 8 12:30:22 2073 UTC]
        Source: initial sampleStatic PE information: section name: .text entropy: 7.952638566367337
        Source: file.exe, eIQBFj4YOoPaQh0jeI/hWJSDt1cbIHhwB8IyT.csHigh entropy of concatenated method names: '.cctor', 'xbQ5ZiM2QQOJI', 'QeO1hXjX2', 'PTA4ALlxk', 'wgDGkBauJ', 'jynTfrlxm', 'TKPRtMKRt', 'fjTYr7jq5', 'HngPRVud2', 'VL2FB9Np1'
        Source: 6.2.CasPol.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 6.2.CasPol.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Hooking and other Techniques for Hiding and Protection

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exe TID: 5512Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6804Thread sleep time: -13835058055282155s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4948Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 9582Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: foregroundWindowGot 1142Jump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: CasPol.exe, 00000006.00000002.804277570.0000000000E22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
        Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Writes to foreign memory regions
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 420000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 422000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: AB9008Jump to behavior
        .NET source code references suspicious native API functions
        Source: file.exe, eIQBFj4YOoPaQh0jeI/hWJSDt1cbIHhwB8IyT.csReference to suspicious API methods: ('BUUqp5gVv', 'GetProcAddress@kernel32'), ('i4KotaHEv', 'LoadLibrary@kernel32')
        Source: 6.2.CasPol.exe.400000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.csReference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
        Allocates memory in foreign processes
        Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 protect: page execute and read and writeJump to behavior
        Injects a PE file into a foreign processes
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exeJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exeJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exeJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exeJump to behavior
        Source: CasPol.exe, 00000006.00000002.805344954.0000000002FD7000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.805344954.0000000003338000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.805344954.0000000003021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerH
        Source: CasPol.exe, 00000006.00000002.805344954.000000000328D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.805344954.000000000321F000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.809918412.00000000068BD000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager
        Source: CasPol.exe, 00000006.00000002.805344954.0000000003338000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerPZ
        Source: CasPol.exe, 00000006.00000002.805344954.0000000002F37000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert
        Source: CasPol.exe, 00000006.00000002.805344954.000000000328D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerHa
        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information

        barindex
        Yara detected zgRAT
        Source: Yara matchFile source: file.exe, type: SAMPLE
        Source: Yara matchFile source: 0.2.file.exe.145c1610000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.0.file.exe.145c1610000.0.unpack, type: UNPACKEDPE
        Yara detected Nanocore RAT
        Source: Yara matchFile source: 6.2.CasPol.exe.5d90000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f2ff64.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f2b12e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f2ff64.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.5d94629.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.5d90000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.145d4f40110.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f3458d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.145d4f40110.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: file.exe PID: 5540, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6636, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected zgRAT
        Source: Yara matchFile source: file.exe, type: SAMPLE
        Source: Yara matchFile source: 0.2.file.exe.145c1610000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.0.file.exe.145c1610000.0.unpack, type: UNPACKEDPE
        Detected Nanocore Rat
        Source: file.exe, 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: CasPol.exe, 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: CasPol.exe, 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: CasPol.exe, 00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: CasPol.exe, 00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: CasPol.exe, 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: CasPol.exe, 00000006.00000002.805344954.0000000002F37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: CasPol.exe, 00000006.00000002.805344954.0000000002F37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: CasPol.exe, 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Yara detected Nanocore RAT
        Source: Yara matchFile source: 6.2.CasPol.exe.5d90000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f2ff64.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f2b12e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f2ff64.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.5d94629.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.5d90000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.145d4f40110.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.3f3458d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.145d4f40110.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: file.exe PID: 5540, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6636, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Native API        		Path Interception312
        Process Injection        		2
        Masquerading        		11
        Input Capture        		1
        Security Software Discovery        		Remote Services11
        Input Capture        		Exfiltration Over Other Network Medium1
        Encrypted Channel        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Disable or Modify Tools        		LSASS Memory2
        Process Discovery        		Remote Desktop Protocol11
        Archive Collected Data        		Exfiltration Over Bluetooth1
        Non-Standard Port        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
        Virtualization/Sandbox Evasion        		Security Account Manager21
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
        Remote Access Software        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)312
        Process Injection        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput CaptureScheduled Transfer1
        Non-Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        Deobfuscate/Decode Files or Information        		LSA Secrets12
        System Information Discovery        		SSHKeyloggingData Transfer Size Limits21
        Application Layer Protocol        		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common1
        Hidden Files and Directories        		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items2
        Obfuscated Files or Information        		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job22
        Software Packing        		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
        Timestomp        		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        file.exe43%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
        file.exe39%VirustotalBrowse
        file.exe100%AviraHEUR/AGEN.1325558
        file.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        ezemnia3.ddns.net7%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        ezemnia3.ddns.net7%VirustotalBrowse
        91.193.75.17813%VirustotalBrowse
        ezemnia3.ddns.net100%Avira URL Cloudmalware
        91.193.75.178100%Avira URL Cloudmalware

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        ezemnia3.ddns.net
        		197.210.227.232
        		truetrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        ezemnia3.ddns.nettrue
        • 7%, Virustotal, Browse
        • Avira URL Cloud: malware
        		unknown
        91.193.75.178true
        • 13%, Virustotal, Browse
        • Avira URL Cloud: malware
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCasPol.exe, 00000006.00000002.805344954.0000000002F37000.00000004.00000800.00020000.00000000.sdmpfalse
          		high

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          197.210.227.232
          		ezemnia3.ddns.netNigeria
          		29465VCG-ASNGtrue
          91.193.75.178
          		unknownSerbia
          		209623DAVID_CRAIGGGtrue

          General Information

          Joe Sandbox Version:37.1.0 Beryl
          Analysis ID:880637
          Start date and time:2023-06-02 15:37:42 +02:00
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 10m 48s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:9
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample file name:file.exe
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@11/5@6/2
          EGA Information:
          • Successful, ratio: 33.3%
          HDC Information:
          • Successful, ratio: 23.3% (good quality ratio 19.9%)
          • Quality average: 56.3%
          • Quality standard deviation: 33.9%
          HCA Information:
          • Successful, ratio: 80%
          • Number of executed functions: 48
          • Number of non-executed functions: 4
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): audiodg.exe, WMIADAP.exe
          • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
          • Execution Graph export aborted for target dhcpmon.exe, PID 7020 because it is empty
          • Execution Graph export aborted for target file.exe, PID 5540 because it is empty
          • Not all processes where analyzed, report is missing behavior information

          Simulations

          Behavior and APIs

          TimeTypeDescription
          15:38:43API Interceptor1003x Sleep call for process: CasPol.exe modified
          15:38:44AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          91.193.75.178mona.lerioprovantageOrder25-10-2022.scr.exeGet hashmaliciousAveMaria, UACMeBrowse

            Domains

            No context

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            VCG-ASNG85AIf1A9HL.elfGet hashmaliciousMirai, MoobotBrowse
            • 197.210.224.166
            oSa4mCa2to.elfGet hashmaliciousMirai, MoobotBrowse
            • 197.210.52.180
            ztXcSRBenJ.elfGet hashmaliciousMirai, MoobotBrowse
            • 41.206.0.64
            yR28mIJkTh.elfGet hashmaliciousMirai, MoobotBrowse
            • 197.210.224.161
            8i87E84xva.elfGet hashmaliciousMirai, MoobotBrowse
            • 197.210.224.168
            6AU1Y1X4Oy.elfGet hashmaliciousMirai, MoobotBrowse
            • 197.210.99.183
            RQsecy8d0u.elfGet hashmaliciousMirai, MoobotBrowse
            • 197.210.224.150
            etCjEgSqfA.elfGet hashmaliciousMirai, MoobotBrowse
            • 197.210.52.188
            XHe2PHQoBa.elfGet hashmaliciousMiraiBrowse
            • 102.91.233.49
            OqAiyoDGN2.elfGet hashmaliciousMirai, MoobotBrowse
            • 197.210.224.160
            G5QOCvRRrI.elfGet hashmaliciousMirai, MoobotBrowse
            • 197.210.52.191
            Proforma_Invoice.exeGet hashmaliciousRemcosBrowse
            • 197.210.84.20
            HCH8Siog9X.elfGet hashmaliciousMirai, MoobotBrowse
            • 197.210.99.197
            jBhmxU9F1H.elfGet hashmaliciousMirai, MoobotBrowse
            • 41.206.0.72
            b3kQMXltP6.elfGet hashmaliciousMirai, MoobotBrowse
            • 197.210.172.239
            2p710QCUte.elfGet hashmaliciousMirai, MoobotBrowse
            • 102.90.197.203
            rPJ9o3VWfD.elfGet hashmaliciousMirai, MoobotBrowse
            • 41.206.0.78
            x86.elfGet hashmaliciousMirai, MoobotBrowse
            • 197.210.170.1
            Ya10Y6d7wD.elfGet hashmaliciousMiraiBrowse
            • 102.90.150.248
            SecuriteInfo.com.Trojan.Linux.Generic.298766.32725.20286.elfGet hashmaliciousMiraiBrowse
            • 197.210.52.187
            DAVID_CRAIGGGfile.exeGet hashmaliciousAveMaria, UACMeBrowse
            • 91.193.75.154
            file.exeGet hashmaliciousAveMaria, UACMeBrowse
            • 91.193.75.154
            2023-05-25_LG#Ud654#Ud559_#Ud611#Ub825#Uc0ac_#Ud3c9#Uac00_#Uc694#Uccad#Uc790#Ub8cc#U00b7pdf.exeGet hashmaliciousRemcosBrowse
            • 91.193.75.231
            Order-POF561.jsGet hashmaliciousVjW0rm, AgentTeslaBrowse
            • 91.193.75.131
            OrderPO22170555823612pg.jsGet hashmaliciousWSHRat, VjW0rmBrowse
            • 91.193.75.131
            old outstanding .PDF.jsGet hashmaliciousWSHRat, VjW0rmBrowse
            • 91.193.75.131
            Confirmation_Slip.PDF.jsGet hashmaliciousWSHRat, VjW0rmBrowse
            • 91.193.75.131
            ORDERNO8499009.PDF.exeGet hashmaliciousAveMaria, UACMeBrowse
            • 91.193.75.134
            INVOICE.PDF.jsGet hashmaliciousWSHRat, VjW0rmBrowse
            • 91.193.75.131
            AWB#476587652.PDF.jsGet hashmaliciousVjW0rm, STRRATBrowse
            • 91.193.75.131
            NEW_PO#_230469008.jsGet hashmaliciousWSHRat, VjW0rmBrowse
            • 91.193.75.131
            TTE0009000.exeGet hashmaliciousRemcos, GuLoaderBrowse
            • 91.193.75.179
            790087654REWMPM.exeGet hashmaliciousRemcosBrowse
            • 91.193.75.179
            RHOP98765434567.exeGet hashmaliciousRemcosBrowse
            • 91.193.75.179
            HAWB#68564359.pdf.jsGet hashmaliciousWSHRat, VjW0rmBrowse
            • 91.193.75.131
            AWB#00756543.pdf.jsGet hashmaliciousWSHRat, VjW0rmBrowse
            • 91.193.75.131
            DATA SHEET.exeGet hashmaliciousAveMaria, UACMeBrowse
            • 91.193.75.142
            xyMxPOlHzrr7.exeGet hashmaliciousNjratBrowse
            • 91.193.75.234
            order_list.exeGet hashmaliciousNanocoreBrowse
            • 91.193.75.135
            Charter_Request.vbsGet hashmaliciousNjratBrowse
            • 91.193.75.176

            JA3 Fingerprints

            No context

            Dropped Files

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSecuriteInfo.com.Variant.Tedy.268270.10392.14925.exeGet hashmaliciousAgentTeslaBrowse
              RFQ12152022-CFASTENERS.exeGet hashmaliciousAgentTeslaBrowse
                SecuriteInfo.com.Win64.CrypterX-gen.29893.10701.exeGet hashmaliciousAgentTeslaBrowse
                  SecuriteInfo.com.W64.MSIL_Agent.EGC.gen.Eldorado.4749.1675.exeGet hashmaliciousAgentTeslaBrowse
                    SecuriteInfo.com.Variant.MSILHeracles.57647.31347.6402.exeGet hashmaliciousUnknownBrowse
                      SecuriteInfo.com.Win64.SpywareX-gen.8757.4281.exeGet hashmaliciousAgentTeslaBrowse
                        RFQ12182022-CFASTENERS.exeGet hashmaliciousAgentTeslaBrowse
                          a516b9a.exeGet hashmaliciousAgentTeslaBrowse
                            BL672802783628376927.xls.exeGet hashmaliciousAgentTeslaBrowse
                              COSU802638767087391028.xlsx.exeGet hashmaliciousAgentTeslaBrowse
                                lYLa9NxVxz.exeGet hashmaliciousAgentTeslaBrowse
                                  mHxIARlBs3.exeGet hashmaliciousAgentTeslaBrowse
                                    TaZ7s6VkLR.exeGet hashmaliciousAgentTeslaBrowse
                                      SecuriteInfo.com.Win64.TrojanX-gen.5439.21008.exeGet hashmaliciousAgentTeslaBrowse
                                        wssghmw9WY.exeGet hashmaliciousAgentTeslaBrowse
                                          SecuriteInfo.com.Win64.Evo-gen.7869.12301.exeGet hashmaliciousAgentTeslaBrowse
                                            QUOTATIONS#873622.exeGet hashmaliciousAgentTeslaBrowse
                                              MACHINE SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                                SecuriteInfo.com.W64.Agent.FIC.gen.Eldorado.1956.16034.exeGet hashmaliciousAgentTeslaBrowse
                                                  SecuriteInfo.com.W64.Agent.FIC.gen.Eldorado.14198.17336.exeGet hashmaliciousAgentTeslaBrowse

                                                    Created / dropped Files

                                                    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

                                                    Download File
                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):107624
                                                    Entropy (8bit):5.882571203162287
                                                    Encrypted:false
                                                    SSDEEP:1536:oSF7vA1hRqHixxMjlI34j8p2mdc/6A4vW/CU1RPMRVQJE:/A1hDPMip2mdcyA4vW/JRPMLQW
                                                    MD5:F866FC1C2E928779C7119353C3091F0C
                                                    SHA1:70D06064E2F12CFB10A82BC985F86F58EA7A4138
                                                    SHA-256:67F3FC243C58EEAE55BDDC22CE025B7841A89ACA2E201B999D8C0E4F07D177B8
                                                    SHA-512:B28B10801580726B85AB5F796EA26835648A3ACFBE1FBA95DFC687439B43FF9548BD3AB9EFC85D88FC071D232718BCFFAC614CC5BFF159173996A3D2AB22154D
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Joe Sandbox View:
                                                    • Filename: SecuriteInfo.com.Variant.Tedy.268270.10392.14925.exe, Detection: malicious, Browse
                                                    • Filename: RFQ12152022-CFASTENERS.exe, Detection: malicious, Browse
                                                    • Filename: SecuriteInfo.com.Win64.CrypterX-gen.29893.10701.exe, Detection: malicious, Browse
                                                    • Filename: SecuriteInfo.com.W64.MSIL_Agent.EGC.gen.Eldorado.4749.1675.exe, Detection: malicious, Browse
                                                    • Filename: SecuriteInfo.com.Variant.MSILHeracles.57647.31347.6402.exe, Detection: malicious, Browse
                                                    • Filename: SecuriteInfo.com.Win64.SpywareX-gen.8757.4281.exe, Detection: malicious, Browse
                                                    • Filename: RFQ12182022-CFASTENERS.exe, Detection: malicious, Browse
                                                    • Filename: a516b9a.exe, Detection: malicious, Browse
                                                    • Filename: BL672802783628376927.xls.exe, Detection: malicious, Browse
                                                    • Filename: COSU802638767087391028.xlsx.exe, Detection: malicious, Browse
                                                    • Filename: lYLa9NxVxz.exe, Detection: malicious, Browse
                                                    • Filename: mHxIARlBs3.exe, Detection: malicious, Browse
                                                    • Filename: TaZ7s6VkLR.exe, Detection: malicious, Browse
                                                    • Filename: SecuriteInfo.com.Win64.TrojanX-gen.5439.21008.exe, Detection: malicious, Browse
                                                    • Filename: wssghmw9WY.exe, Detection: malicious, Browse
                                                    • Filename: SecuriteInfo.com.Win64.Evo-gen.7869.12301.exe, Detection: malicious, Browse
                                                    • Filename: QUOTATIONS#873622.exe, Detection: malicious, Browse
                                                    • Filename: MACHINE SPECIFICATIONS.exe, Detection: malicious, Browse
                                                    • Filename: SecuriteInfo.com.W64.Agent.FIC.gen.Eldorado.1956.16034.exe, Detection: malicious, Browse
                                                    • Filename: SecuriteInfo.com.W64.Agent.FIC.gen.Eldorado.14198.17336.exe, Detection: malicious, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...rX.Z..............0..X...........v... ........@.. ..............................Q.....`.................................<v..O.......$............f..h>...........u............................................... ............... ..H............text....V... ...X.................. ..`.rsrc...$............Z..............@..@.reloc...............d..............@..B................pv......H.......,...`...............xE...t......................................2~P....o....*.r...p(....*VrK..p(....s.....P...*..0.._.......~....:O....>.....%.rm..p...A...s......su....%.r...p...A...s....rm..p.su....%.r...p...B...s......su....%.r...p...B...s....r...p.su....%.r...p...C...s......su....%.r...p...C...s....r...p.su....%.r...p...D...s......su....%.r...p...D...s....r...p.su....%.r...p...E...s......su....%..r...p...E...s....r...p.su....%..r...p...F...s......su....%..r...p...F

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log

                                                    Download File
                                                    Process:C:\Users\user\Desktop\file.exe
                                                    File Type:CSV text
                                                    Category:dropped
                                                    Size (bytes):226
                                                    Entropy (8bit):5.354940450065058
                                                    Encrypted:false
                                                    SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2wlAsDZiIv:Q3La/KDLI4MWuPTxAIv
                                                    MD5:B10E37251C5B495643F331DB2EEC3394
                                                    SHA1:25A5FFE4C2554C2B9A7C2794C9FE215998871193
                                                    SHA-256:8A6B926C70F8DCFD915D68F167A1243B9DF7B9F642304F570CE584832D12102D
                                                    SHA-512:296BC182515900934AA96E996FC48B565B7857801A07FEFA0D3D1E0C165981B266B084E344DB5B53041D1171F9C6708B4EE0D444906391C4FC073BCC23B92C37
                                                    Malicious:true
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

                                                    Download File
                                                    Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:modified
                                                    Size (bytes):42
                                                    Entropy (8bit):4.0050635535766075
                                                    Encrypted:false
                                                    SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                                    MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                                    SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                                    SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                                    SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                                    Malicious:false
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                                                    Download File
                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                    File Type:Non-ISO extended-ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):8
                                                    Entropy (8bit):3.0
                                                    Encrypted:false
                                                    SSDEEP:3:YD:YD
                                                    MD5:B9FAA684C030A959ECE6EDA0744AFD35
                                                    SHA1:1CF54F509326FE102FC5EAEDB7A40FD01596867B
                                                    SHA-256:473C5B472D03FC596D7FD7A483C62F9A54E839F21F81C8C21F5222A800F1C8E3
                                                    SHA-512:6F50C9464093DA3735B6DF7E4F076A1C92CDFC14BC1B03D287EAC4F622130E9FE65EB4B168A3F30B8BA69C7FC42111566766BD84DC137E6EA2AFC82AB694BFA0
                                                    Malicious:true
                                                    Preview:....nc.H

                                                    \Device\ConDrv

                                                    Download File
                                                    Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):486
                                                    Entropy (8bit):5.064987733454706
                                                    Encrypted:false
                                                    SSDEEP:12:z30U30b4BFNY8fNFquci7S1pE+DPOCN6+QOH5JyY:z3F3g4DO4UE+Tz5JB
                                                    MD5:30394F72BB157162F35A2DEB1F48BD1A
                                                    SHA1:66AD7D748F42C64E0698606A8F019D165DE657E8
                                                    SHA-256:133FABF0CD558FA3E5144E9EF35654FA0422F8424C6D5D82828B8D10EC9BA295
                                                    SHA-512:A93E12D6C9927403FE0E20B8A698B24007EBCCD53A29AD65428366C6CE3CED05E5F3AEFF1D46C7D9F174EAEAE5059F0B5D12353B6022965CDC5D187E45FA72E9
                                                    Malicious:false
                                                    Preview:Microsoft .NET Framework CasPol 4.7.3056.0..for Microsoft .NET Framework version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....WARNING: The .NET Framework does not apply CAS policy by default. Any settings shown or modified by CasPol will only ..affect applications that opt into using CAS policy. ....Please see http://go.microsoft.com/fwlink/?LinkId=131738 for more information. ......ERROR: Not enough arguments....For usage information, use 'caspol -?'..

                                                    Static File Info

                                                    General

                                                    File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.944928855592647
                                                    TrID:
                                                    • Win64 Executable GUI Net Framework (217006/5) 49.88%
                                                    • Win64 Executable GUI (202006/5) 46.43%
                                                    • Win64 Executable (generic) (12005/4) 2.76%
                                                    • Generic Win/DOS Executable (2004/3) 0.46%
                                                    • DOS Executable Generic (2002/1) 0.46%
                                                    File name:file.exe
                                                    File size:834112
                                                    MD5:8d93c7903bfd5900d72dbeb3b0968508
                                                    SHA1:fad787dd1ebae5cc64aaf7762dd6f49de50adfa7
                                                    SHA256:685522dda736e8c071fcc9dc4b7bb3d58c45f36828eb0b8ca8557e5ec56499ad
                                                    SHA512:c6a36b15350a8579d81f6d9fa9b3f069251dcee996f2047a2b6c60bd4c1705b4bb1a3a954ead68378119c460db385a554901950a7240ca40b54ed589d9bf46e1
                                                    SSDEEP:24576:0mr0x3EEEfgYsSKS+KY9Zl6IX+OPZjv8+i0YUlo4:0mry3EEWKHrLPZjvpzlo4
                                                    TLSH:070512697744348DC81BC8B1D9EA0C3167A277AB6777C3073147128E8E8E7D6CF581A6
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....X...............0..T............... ....@...... ...............................i....`...@......@............... .....

                                                    File Icon

                                                    Icon Hash:526c6a52d0e4f047

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x400000
                                                    Entrypoint Section:
                                                    Digitally signed:true
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0xC358B1DE [Wed Nov 8 12:30:22 2073 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:

                                                    Authenticode Signature

                                                    Signature Valid:false
                                                    Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                    Signature Validation Error:The digital signature of the object did not verify
                                                    Error Number:-2146869232
                                                    Not Before, Not After
                                                    • 12/13/2021 1:00:00 AM 1/9/2025 12:59:59 AM
                                                    Subject Chain
                                                    • CN=philandro Software GmbH, O=philandro Software GmbH, L=Stuttgart, S=Baden-W\xfcrttemberg, C=DE
                                                    Version:3
                                                    Thumbprint MD5:EAE713DFC05244CF4301BF1C9F68B1BE
                                                    Thumbprint SHA-1:9CD1DDB78ED05282353B20CDFE8FA0A4FB6C1ECE
                                                    Thumbprint SHA-256:9D7620A4CEBA92370E8828B3CB1007AEFF63AB36A2CBE5F044FDDE14ABAB1EBF
                                                    Serial:0DBF152DEAF0B981A8A938D53F769DB8

                                                    Entrypoint Preview

                                                    Instruction
                                                    dec ebp
                                                    pop edx
                                                    nop
                                                    add byte ptr [ebx], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax+eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x1c1a.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0xc74000x4640
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xc73880x1c.text
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000xc53d00xc5400False0.9533168468789607data7.952638566367337IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rsrc0xc80000x1c1a0x1e00False0.33098958333333334data5.310141871037977IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountry
                                                    RT_ICON0xc81b00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224
                                                    RT_ICON0xc92580x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088
                                                    RT_GROUP_ICON0xc96c00x22data
                                                    RT_VERSION0xc96e40x34cdata
                                                    RT_MANIFEST0xc9a300x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jun 2, 2023 15:38:45.180541039 CEST4969562335192.168.2.4197.210.227.232
                                                    Jun 2, 2023 15:38:48.188280106 CEST4969562335192.168.2.4197.210.227.232
                                                    Jun 2, 2023 15:38:54.189002037 CEST4969562335192.168.2.4197.210.227.232
                                                    Jun 2, 2023 15:39:05.644177914 CEST4969662335192.168.2.4197.210.227.232
                                                    Jun 2, 2023 15:39:08.658771038 CEST4969662335192.168.2.4197.210.227.232
                                                    Jun 2, 2023 15:39:14.659281969 CEST4969662335192.168.2.4197.210.227.232
                                                    Jun 2, 2023 15:39:24.280808926 CEST4970062335192.168.2.4197.210.227.232
                                                    Jun 2, 2023 15:39:27.285420895 CEST4970062335192.168.2.4197.210.227.232
                                                    Jun 2, 2023 15:39:33.285824060 CEST4970062335192.168.2.4197.210.227.232
                                                    Jun 2, 2023 15:39:42.834573030 CEST4970162335192.168.2.491.193.75.178
                                                    Jun 2, 2023 15:39:42.879101038 CEST623354970191.193.75.178192.168.2.4
                                                    Jun 2, 2023 15:39:43.380434990 CEST4970162335192.168.2.491.193.75.178
                                                    Jun 2, 2023 15:39:43.425004959 CEST623354970191.193.75.178192.168.2.4
                                                    Jun 2, 2023 15:39:43.927361965 CEST4970162335192.168.2.491.193.75.178
                                                    Jun 2, 2023 15:39:43.972152948 CEST623354970191.193.75.178192.168.2.4
                                                    Jun 2, 2023 15:39:47.977063894 CEST4970262335192.168.2.491.193.75.178
                                                    Jun 2, 2023 15:39:48.021768093 CEST623354970291.193.75.178192.168.2.4
                                                    Jun 2, 2023 15:39:48.537118912 CEST4970262335192.168.2.491.193.75.178
                                                    Jun 2, 2023 15:39:48.581811905 CEST623354970291.193.75.178192.168.2.4
                                                    Jun 2, 2023 15:39:49.099692106 CEST4970262335192.168.2.491.193.75.178
                                                    Jun 2, 2023 15:39:49.144428968 CEST623354970291.193.75.178192.168.2.4
                                                    Jun 2, 2023 15:39:53.149203062 CEST4970362335192.168.2.491.193.75.178
                                                    Jun 2, 2023 15:39:53.193831921 CEST623354970391.193.75.178192.168.2.4
                                                    Jun 2, 2023 15:39:53.709573030 CEST4970362335192.168.2.491.193.75.178
                                                    Jun 2, 2023 15:39:53.754199982 CEST623354970391.193.75.178192.168.2.4
                                                    Jun 2, 2023 15:39:54.257426023 CEST4970362335192.168.2.491.193.75.178
                                                    Jun 2, 2023 15:39:54.301930904 CEST623354970391.193.75.178192.168.2.4
                                                    Jun 2, 2023 15:39:58.480582952 CEST4970462335192.168.2.4197.210.227.232
                                                    Jun 2, 2023 15:40:01.491422892 CEST4970462335192.168.2.4197.210.227.232
                                                    Jun 2, 2023 15:40:07.507503986 CEST4970462335192.168.2.4197.210.227.232
                                                    Jun 2, 2023 15:40:17.230046034 CEST4970562335192.168.2.4197.210.227.232
                                                    Jun 2, 2023 15:40:20.243091106 CEST4970562335192.168.2.4197.210.227.232
                                                    Jun 2, 2023 15:40:26.243532896 CEST4970562335192.168.2.4197.210.227.232
                                                    Jun 2, 2023 15:40:26.515712976 CEST6233549705197.210.227.232192.168.2.4
                                                    Jun 2, 2023 15:40:30.753041983 CEST4970662335192.168.2.4197.210.227.232
                                                    Jun 2, 2023 15:40:30.930021048 CEST6233549706197.210.227.232192.168.2.4
                                                    Jun 2, 2023 15:40:31.431394100 CEST4970662335192.168.2.4197.210.227.232
                                                    Jun 2, 2023 15:40:31.612078905 CEST6233549706197.210.227.232192.168.2.4
                                                    Jun 2, 2023 15:40:32.119024038 CEST4970662335192.168.2.4197.210.227.232
                                                    Jun 2, 2023 15:40:32.291821003 CEST6233549706197.210.227.232192.168.2.4
                                                    Jun 2, 2023 15:40:36.308774948 CEST4970762335192.168.2.491.193.75.178
                                                    Jun 2, 2023 15:40:36.353142023 CEST623354970791.193.75.178192.168.2.4
                                                    Jun 2, 2023 15:40:36.869467020 CEST4970762335192.168.2.491.193.75.178
                                                    Jun 2, 2023 15:40:36.913860083 CEST623354970791.193.75.178192.168.2.4
                                                    Jun 2, 2023 15:40:37.416409016 CEST4970762335192.168.2.491.193.75.178
                                                    Jun 2, 2023 15:40:37.460726976 CEST623354970791.193.75.178192.168.2.4
                                                    Jun 2, 2023 15:40:41.466217041 CEST4970862335192.168.2.491.193.75.178
                                                    Jun 2, 2023 15:40:41.513715029 CEST623354970891.193.75.178192.168.2.4
                                                    Jun 2, 2023 15:40:42.026073933 CEST4970862335192.168.2.491.193.75.178
                                                    Jun 2, 2023 15:40:42.070286989 CEST623354970891.193.75.178192.168.2.4
                                                    Jun 2, 2023 15:40:42.572973013 CEST4970862335192.168.2.491.193.75.178
                                                    Jun 2, 2023 15:40:42.617302895 CEST623354970891.193.75.178192.168.2.4

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jun 2, 2023 15:38:45.139378071 CEST5223953192.168.2.48.8.8.8
                                                    Jun 2, 2023 15:38:45.165621996 CEST53522398.8.8.8192.168.2.4
                                                    Jun 2, 2023 15:39:05.603955030 CEST5680753192.168.2.48.8.8.8
                                                    Jun 2, 2023 15:39:05.639246941 CEST53568078.8.8.8192.168.2.4
                                                    Jun 2, 2023 15:39:24.258562088 CEST5944453192.168.2.48.8.8.8
                                                    Jun 2, 2023 15:39:24.279351950 CEST53594448.8.8.8192.168.2.4
                                                    Jun 2, 2023 15:39:58.447350979 CEST5557053192.168.2.48.8.8.8
                                                    Jun 2, 2023 15:39:58.473865986 CEST53555708.8.8.8192.168.2.4
                                                    Jun 2, 2023 15:40:17.157872915 CEST6490653192.168.2.48.8.8.8
                                                    Jun 2, 2023 15:40:17.197916031 CEST53649068.8.8.8192.168.2.4
                                                    Jun 2, 2023 15:40:30.706660032 CEST5944653192.168.2.48.8.8.8
                                                    Jun 2, 2023 15:40:30.741974115 CEST53594468.8.8.8192.168.2.4

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Jun 2, 2023 15:38:45.139378071 CEST192.168.2.48.8.8.80xfd5Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
                                                    Jun 2, 2023 15:39:05.603955030 CEST192.168.2.48.8.8.80xb8b7Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
                                                    Jun 2, 2023 15:39:24.258562088 CEST192.168.2.48.8.8.80x154cStandard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
                                                    Jun 2, 2023 15:39:58.447350979 CEST192.168.2.48.8.8.80xfe37Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
                                                    Jun 2, 2023 15:40:17.157872915 CEST192.168.2.48.8.8.80x9593Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
                                                    Jun 2, 2023 15:40:30.706660032 CEST192.168.2.48.8.8.80xbb35Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Jun 2, 2023 15:38:45.165621996 CEST8.8.8.8192.168.2.40xfd5No error (0)ezemnia3.ddns.net197.210.227.232A (IP address)IN (0x0001)false
                                                    Jun 2, 2023 15:39:05.639246941 CEST8.8.8.8192.168.2.40xb8b7No error (0)ezemnia3.ddns.net197.210.227.232A (IP address)IN (0x0001)false
                                                    Jun 2, 2023 15:39:24.279351950 CEST8.8.8.8192.168.2.40x154cNo error (0)ezemnia3.ddns.net197.210.227.232A (IP address)IN (0x0001)false
                                                    Jun 2, 2023 15:39:58.473865986 CEST8.8.8.8192.168.2.40xfe37No error (0)ezemnia3.ddns.net197.210.227.232A (IP address)IN (0x0001)false
                                                    Jun 2, 2023 15:40:17.197916031 CEST8.8.8.8192.168.2.40x9593No error (0)ezemnia3.ddns.net197.210.227.232A (IP address)IN (0x0001)false
                                                    Jun 2, 2023 15:40:30.741974115 CEST8.8.8.8192.168.2.40xbb35No error (0)ezemnia3.ddns.net197.210.227.232A (IP address)IN (0x0001)false

                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:15:38:37
                                                    Start date:02/06/2023
                                                    Path:C:\Users\user\Desktop\file.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Users\user\Desktop\file.exe
                                                    Imagebase:0x145c1610000
                                                    File size:834112 bytes
                                                    MD5 hash:8D93C7903BFD5900D72DBEB3B0968508
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.549824099.00000145D4A79000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    Reputation:low

                                                    General

                                                    Target ID:3
                                                    Start time:15:38:39
                                                    Start date:02/06/2023
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
                                                    Imagebase:0x330000
                                                    File size:107624 bytes
                                                    MD5 hash:F866FC1C2E928779C7119353C3091F0C
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate

                                                    General

                                                    Target ID:4
                                                    Start time:15:38:40
                                                    Start date:02/06/2023
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
                                                    Imagebase:0x150000
                                                    File size:107624 bytes
                                                    MD5 hash:F866FC1C2E928779C7119353C3091F0C
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate

                                                    General

                                                    Target ID:5
                                                    Start time:15:38:40
                                                    Start date:02/06/2023
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
                                                    Imagebase:0x100000
                                                    File size:107624 bytes
                                                    MD5 hash:F866FC1C2E928779C7119353C3091F0C
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate

                                                    General

                                                    Target ID:6
                                                    Start time:15:38:40
                                                    Start date:02/06/2023
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
                                                    Imagebase:0x800000
                                                    File size:107624 bytes
                                                    MD5 hash:F866FC1C2E928779C7119353C3091F0C
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.808605429.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.809329944.00000000051F0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.803937571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.805344954.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.809497378.0000000005D90000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:moderate

                                                    General

                                                    Target ID:7
                                                    Start time:15:38:52
                                                    Start date:02/06/2023
                                                    Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                                                    Imagebase:0xa20000
                                                    File size:107624 bytes
                                                    MD5 hash:F866FC1C2E928779C7119353C3091F0C
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:.Net C# or VB.NET
                                                    Antivirus matches:
                                                    • Detection: 0%, ReversingLabs
                                                    Reputation:moderate

                                                    General

                                                    Target ID:8
                                                    Start time:15:38:52
                                                    Start date:02/06/2023
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7c72c0000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Disassembly

                                                    Reset < >

                                                      Executed Functions

                                                      Function 00007FF81617166A Relevance: 2.6, Strings: 2, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.553683912.00007FF816170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816170000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff816170000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: jtt$jtt
                                                      • API String ID: 0-668875694
                                                      • Opcode ID: 2c30fa40463a9909815bcfb83dc4f6c8d4a08c7955afc8d530dc0f25c982b1d2
                                                      • Instruction ID: 841a61c06f9b9d2a2b21a877a4eb0fa408501db53338613104af46a9a89ec279
                                                      • Opcode Fuzzy Hash: 2c30fa40463a9909815bcfb83dc4f6c8d4a08c7955afc8d530dc0f25c982b1d2
                                                      • Instruction Fuzzy Hash: 34115C70E08A088FEB58DF68C4557ECB7F2FB59321F1481AAC04DE7241DA305981CF00
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00007FF816174778 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.553683912.00007FF816170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816170000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff816170000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: jtt
                                                      • API String ID: 0-3303130015
                                                      • Opcode ID: 68604aaf96117b8f8512adda064deb29fe5e3edb92e1a52b9750ef90ed93d530
                                                      • Instruction ID: fa3ce723c11e598e619edf95ad78f460af58c83cf585a78ecdc89dd6eaa62454
                                                      • Opcode Fuzzy Hash: 68604aaf96117b8f8512adda064deb29fe5e3edb92e1a52b9750ef90ed93d530
                                                      • Instruction Fuzzy Hash: 5E215C70A04A0E8FDB48CF58C4859AEB7F2FF59760B14862AD419E7254CB34E942CF80
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00007FF8161729BF Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.553683912.00007FF816170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816170000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff816170000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: jtt
                                                      • API String ID: 0-3303130015
                                                      • Opcode ID: a8bc8754f3335f2a308c0887b93efb06280c137a0cc8609bd2b2ed559a2612ab
                                                      • Instruction ID: 426b1dc67f986c2383679bfd90cf1e8c0be21e747ef1494a22ba397409a7b9d5
                                                      • Opcode Fuzzy Hash: a8bc8754f3335f2a308c0887b93efb06280c137a0cc8609bd2b2ed559a2612ab
                                                      • Instruction Fuzzy Hash: 9F11FA74E0491A8FDF44DF58D484AEEB7F1FBA9360F14822AD405E3254DB34A9468B90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00007FF816173DF1 Relevance: .2, Instructions: 193COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.553683912.00007FF816170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816170000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff816170000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 889efa55c1d90c6fdc2ea8636865778e1e8a561403985fc38467d30e786f1c34
                                                      • Instruction ID: 14d031f0cfdcdc720cc94e1b067369843190e223d93921eec3124b89034eaef7
                                                      • Opcode Fuzzy Hash: 889efa55c1d90c6fdc2ea8636865778e1e8a561403985fc38467d30e786f1c34
                                                      • Instruction Fuzzy Hash: F961AD7580E7C54FDB038B7498616E57FF0EF5B320B0A06EBD085CB1A3D628991AC762
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00007FF816171FF5 Relevance: .1, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.553683912.00007FF816170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816170000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff816170000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ebe9a792dafcdbd8ab187e2c881290a0680c07f7ae53575ed94fdbbe847f77ea
                                                      • Instruction ID: 2f48562cc4a007a8c04f632a3e7032e58fdd1f61bd3cc298696ccd3796c67caa
                                                      • Opcode Fuzzy Hash: ebe9a792dafcdbd8ab187e2c881290a0680c07f7ae53575ed94fdbbe847f77ea
                                                      • Instruction Fuzzy Hash: BD51FC3191895E8FEB94EF18D851BEDB7B1FB58360F0042B6D00DE7296DE34A985CB80
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00007FF8161730A4 Relevance: .1, Instructions: 99COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.553683912.00007FF816170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816170000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff816170000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1931470e7a83e0f79b3b0e1eaa5341acdd919cce06ecf1205993cae91dcf0abe
                                                      • Instruction ID: 5bcd26b2e1b7f9305ea3bb5183301eac015d05372791fa13afd256d0db87f3b6
                                                      • Opcode Fuzzy Hash: 1931470e7a83e0f79b3b0e1eaa5341acdd919cce06ecf1205993cae91dcf0abe
                                                      • Instruction Fuzzy Hash: CF31B43090DB898FDB56DF24D8156E97BF1EF46320F0502BAE44DDB292CA349955CB41
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00007FF816170505 Relevance: .1, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.553683912.00007FF816170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816170000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff816170000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fb7edbd7aa12585544e048d4ea3e5d3469ad1b593d7186551ef2ca24f1a86939
                                                      • Instruction ID: c0687a9fd7534453d3dbb023ba164bef1690befadb90cf57bb35411d0faad897
                                                      • Opcode Fuzzy Hash: fb7edbd7aa12585544e048d4ea3e5d3469ad1b593d7186551ef2ca24f1a86939
                                                      • Instruction Fuzzy Hash: 3C31A1B4D18A1D8FDB48EF98C495AADBBB1FF58351F10426ED04AE7295CB34A941CF40
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00007FF816170684 Relevance: .1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.553683912.00007FF816170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816170000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff816170000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f6b34067584730212e77020353c96514945b20586583505d0bdc656cf41dd8d2
                                                      • Instruction ID: 0f1f889ab8eda745a351a551444856c05d2f8ae8ecefacec7524e27715d6b539
                                                      • Opcode Fuzzy Hash: f6b34067584730212e77020353c96514945b20586583505d0bdc656cf41dd8d2
                                                      • Instruction Fuzzy Hash: 492148B1E18A1D8FEB94DF2888557ACB7F1FF99261F1041BAD00DE3281DE346A85CB01
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00007FF8161718ED Relevance: .1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.553683912.00007FF816170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816170000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff816170000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 89e090797bcc9b57096e88d0112e7c2c6d448188d8a096d0dbda1f37db837751
                                                      • Instruction ID: 9d27b5c813ca49205d919e7938579acb0a04ee5db410ac3f67f636346ee72ae6
                                                      • Opcode Fuzzy Hash: 89e090797bcc9b57096e88d0112e7c2c6d448188d8a096d0dbda1f37db837751
                                                      • Instruction Fuzzy Hash: EA11E430A14A2D8FDF98EB5CC885BE9B7F2FBA8311F1041A9D04DE3255CB35A985CB40
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00007FF81617042D Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.553683912.00007FF816170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816170000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff816170000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bbbe0e8dd93a764b424f1a7f3169554c3ab6c6a5686d813998ce2857048492c4
                                                      • Instruction ID: 265aa43943ab59f6941c2a24c120b00a36bf739422566fa7567b39d10741d1f7
                                                      • Opcode Fuzzy Hash: bbbe0e8dd93a764b424f1a7f3169554c3ab6c6a5686d813998ce2857048492c4
                                                      • Instruction Fuzzy Hash: 600169B990860A8BEB18DB90D450AFE77B5EF95371F10023AD04AE7281CF382A84CB51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00007FF816172E6A Relevance: .0, Instructions: 38COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.553683912.00007FF816170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816170000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff816170000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1e1573220bacb536600b761bef2ec4d2ec15698e32ba278916dd5000bb3d3665
                                                      • Instruction ID: 06a9b3176ded8729a04dd48532bb64209511ec9a71d6f45115f9287a969274e8
                                                      • Opcode Fuzzy Hash: 1e1573220bacb536600b761bef2ec4d2ec15698e32ba278916dd5000bb3d3665
                                                      • Instruction Fuzzy Hash: C901DB34E0460ECFDB48DF64C5919EEB7B2FF89361B10426DC40AA7294CB39AD42CB54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00007FF816173FF8 Relevance: .0, Instructions: 32COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.553683912.00007FF816170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816170000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff816170000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: deafd3272ac54f6ad04bec2b6eaba5ef36521d1862e10095149118421a956fc6
                                                      • Instruction ID: 90b4c17a0e1b70de85821a51b1b53c7460036c5e000368706d97fbaeeb4981ba
                                                      • Opcode Fuzzy Hash: deafd3272ac54f6ad04bec2b6eaba5ef36521d1862e10095149118421a956fc6
                                                      • Instruction Fuzzy Hash: F601C934A04609CFEB48DFA8C4919EDBBF1EB58361F14426ED41AE7290CB35A951CF14
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00007FF81617265D Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.553683912.00007FF816170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816170000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff816170000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cd7fef0340c6f0ced189e24ca2c0167d3b8892c470b75bfec71f39a9d719358a
                                                      • Instruction ID: 71119845d8f8ddbca1268845d365300c2192c91c421009cdb49782e022948068
                                                      • Opcode Fuzzy Hash: cd7fef0340c6f0ced189e24ca2c0167d3b8892c470b75bfec71f39a9d719358a
                                                      • Instruction Fuzzy Hash: E3F04F70E046098FDF48CFA8D8909EDB7B2FF88321F20C22AD406F7284CA346911CB14
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00007FF816173D0F Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.553683912.00007FF816170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816170000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff816170000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 18ba186c1652b9024206dd7c3d3bed25377f6e24a20e2c4235cfe8db5ca7d1c2
                                                      • Instruction ID: 3038d1cfd10a453fb99735253fbd059da64b874d6822838ffa413dfb1a01b156
                                                      • Opcode Fuzzy Hash: 18ba186c1652b9024206dd7c3d3bed25377f6e24a20e2c4235cfe8db5ca7d1c2
                                                      • Instruction Fuzzy Hash: 93F05838E0868D8FDB18EF98C8A28BDBBB0FF58314B10455ED8669B346CA30A411CF40
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00007FF8161714DA Relevance: .0, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.553683912.00007FF816170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816170000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff816170000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 18ccfd9598896daf3ec7d2be85f2bff69d2ffc71450a22f4daa54e9b6863925d
                                                      • Instruction ID: de4a0088fb7b57c24eaf579bb0a6ba966e1e2a1cefd20df60ecbe405ebfb3e7b
                                                      • Opcode Fuzzy Hash: 18ccfd9598896daf3ec7d2be85f2bff69d2ffc71450a22f4daa54e9b6863925d
                                                      • Instruction Fuzzy Hash: B6F08C70E1465E8FE389EB2888556ECB6B0BF48360F2045BAC05DE31A2CE381AC19F50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00007FF816170604 Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.553683912.00007FF816170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816170000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff816170000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0ae35fd16a253b5be9ab039446ec6e31e58bcd92a0cd9a3a0502e55de0b05f9f
                                                      • Instruction ID: 6f8bb7048828cf065c5cc8611e2151418583eebee7877f347625d1cf060ad756
                                                      • Opcode Fuzzy Hash: 0ae35fd16a253b5be9ab039446ec6e31e58bcd92a0cd9a3a0502e55de0b05f9f
                                                      • Instruction Fuzzy Hash: 6AE0C93091862ECFE764EB3488557B9B6B1FF44345F5041F8C04D97296CE356981CB00
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00007FF816174238 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.553683912.00007FF816170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816170000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff816170000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3cda2d49514ef3b7158e4e465b188dfd2e282253a913e8bac5df4d96f9c76874
                                                      • Instruction ID: 0ca464a5c76a9cb27eaeb383c1ff84957fcdd5acf9a8ccb28044cd53e9e632cd
                                                      • Opcode Fuzzy Hash: 3cda2d49514ef3b7158e4e465b188dfd2e282253a913e8bac5df4d96f9c76874
                                                      • Instruction Fuzzy Hash: 47E0C27082AE08DAE718DB74461A4ACBA30FF15292B5007BDD283A7082CB392401D614
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00007FF8161732F7 Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.553683912.00007FF816170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816170000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff816170000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 380a7eb549906ab8327a6eaef48797ca7dbd83b80a23deb4dacd14af0d442818
                                                      • Instruction ID: d207cf56e1bbb4ebe049dbbe5e814ce6227b22ebb58625b7dcfa9e4a28c0948d
                                                      • Opcode Fuzzy Hash: 380a7eb549906ab8327a6eaef48797ca7dbd83b80a23deb4dacd14af0d442818
                                                      • Instruction Fuzzy Hash: F8D05B30D0A78C8FD705AB74C5478AC7B71DF113517140269C045B7121CA399442D740
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00007FF8161717DF Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.553683912.00007FF816170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816170000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff816170000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c4ca65dc83cd458a7cd6242b277a0c6167499c4c901d13dd4a2d68a63600081d
                                                      • Instruction ID: 69fad3de5ac6ddd9bcda245c753a5d47567e2bdb39e52bd5617770e68d73b257
                                                      • Opcode Fuzzy Hash: c4ca65dc83cd458a7cd6242b277a0c6167499c4c901d13dd4a2d68a63600081d
                                                      • Instruction Fuzzy Hash: 8BD01730D096098FAB5CDE64C1629ADBB71AB08711F24493ED006A6280CA745940CB04
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00007FF8161741E0 Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.553683912.00007FF816170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816170000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff816170000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a4814bb9b22dbc7550b6d139abf8dcb3e2d6d0b93bcaf01a0669f5a132d367ad
                                                      • Instruction ID: 17b77e0030a9cd2425506b51c3b5b67547152f107b436eccbe9a7a97e0f78a77
                                                      • Opcode Fuzzy Hash: a4814bb9b22dbc7550b6d139abf8dcb3e2d6d0b93bcaf01a0669f5a132d367ad
                                                      • Instruction Fuzzy Hash: 7AD0C970909A09CFEB8CEF64C0528ACB771FF15351B60057DD247AB281CB36A801DB10
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 00007FF816176D19 Relevance: 5.3, Strings: 4, Instructions: 337COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.553683912.00007FF816170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816170000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff816170000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: q~t$Zrt$jtt$jtt
                                                      • API String ID: 0-2389277608
                                                      • Opcode ID: e1ae25be61486494d508cfb81384c25bf4e12692f66b52087ccfbcd8bd7ac82a
                                                      • Instruction ID: b30807650c0d287bc9a96639e2bf95a42bf9cefe446c10120c69af9714829e78
                                                      • Opcode Fuzzy Hash: e1ae25be61486494d508cfb81384c25bf4e12692f66b52087ccfbcd8bd7ac82a
                                                      • Instruction Fuzzy Hash: 76B1D47191DB8D8FE796DB78D8197E8BBE0FF06360F1401BED049CB2A2DA681846C741
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Execution Graph

                                                      Execution Coverage:13.1%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:182
                                                      Total number of Limit Nodes:7
                                                      execution_graph 17865 11d6758 17868 11d6344 17865->17868 17867 11d6766 17869 11d634f 17868->17869 17872 11d6394 17869->17872 17871 11d688d 17871->17867 17873 11d639f 17872->17873 17876 11d63c4 17873->17876 17875 11d6962 17875->17871 17877 11d63cf 17876->17877 17880 11d63f4 17877->17880 17879 11d6a62 17879->17875 17882 11d63ff 17880->17882 17881 11d71bc 17881->17879 17882->17881 17885 11db3f9 17882->17885 17890 11db408 17882->17890 17887 11db408 17885->17887 17886 11db44d 17886->17881 17887->17886 17895 11db5b8 17887->17895 17899 11db5aa 17887->17899 17891 11db429 17890->17891 17892 11db44d 17891->17892 17893 11db5b8 6 API calls 17891->17893 17894 11db5aa 6 API calls 17891->17894 17892->17881 17893->17892 17894->17892 17898 11db5c5 17895->17898 17896 11db5ff 17896->17886 17898->17896 17903 11da0ec 17898->17903 17900 11db5c5 17899->17900 17901 11db5ff 17900->17901 17902 11da0ec 6 API calls 17900->17902 17901->17886 17902->17901 17904 11da0f1 17903->17904 17906 11dc2f8 17904->17906 17907 11db904 17904->17907 17906->17906 17908 11db90f 17907->17908 17909 11d63f4 6 API calls 17908->17909 17910 11dc367 17909->17910 17917 11dc3d1 17910->17917 17921 11dc3e0 17910->17921 17911 11dc375 17915 11de0d8 LoadLibraryExW GetModuleHandleW CreateWindowExW CreateWindowExW 17911->17915 17916 11de0f0 LoadLibraryExW GetModuleHandleW CreateWindowExW CreateWindowExW 17911->17916 17912 11dc3a0 17912->17906 17915->17912 17916->17912 17918 11dc40e 17917->17918 17919 11dc4da KiUserCallbackDispatcher 17918->17919 17920 11dc4df 17918->17920 17919->17920 17922 11dc40e 17921->17922 17923 11dc4da KiUserCallbackDispatcher 17922->17923 17924 11dc4df 17922->17924 17923->17924 18062 62731d0 18063 62731d9 18062->18063 18067 6273220 18063->18067 18072 6273210 18063->18072 18064 627320a 18068 6273225 18067->18068 18077 6273248 18068->18077 18082 6273258 18068->18082 18069 627323c 18069->18064 18073 6273220 18072->18073 18075 6273248 DnsQuery_A 18073->18075 18076 6273258 DnsQuery_A 18073->18076 18074 627323c 18074->18064 18075->18074 18076->18074 18078 6273276 18077->18078 18079 627329e 18078->18079 18087 6273360 18078->18087 18091 6273350 18078->18091 18079->18069 18083 6273276 18082->18083 18084 627329e 18083->18084 18085 6273360 DnsQuery_A 18083->18085 18086 6273350 DnsQuery_A 18083->18086 18084->18069 18085->18083 18086->18083 18088 6273389 18087->18088 18095 62718fc 18088->18095 18093 627335a 18091->18093 18092 62718fc DnsQuery_A 18094 62733ca 18092->18094 18093->18092 18094->18078 18096 6273610 DnsQuery_A 18095->18096 18098 627374a 18096->18098 18098->18098 17925 11dfe10 17928 11dda3c 17925->17928 17929 11dfe40 SetWindowLongW 17928->17929 17930 11dfe28 17929->17930 17931 11db6d0 17932 11db736 17931->17932 17936 11dbc98 17932->17936 17939 11dbc88 17932->17939 17933 11db7e5 17942 11da14c 17936->17942 17940 11dbcc6 17939->17940 17941 11da14c DuplicateHandle 17939->17941 17940->17933 17941->17940 17943 11dbd00 DuplicateHandle 17942->17943 17944 11dbcc6 17943->17944 17944->17933 18031 11dfdb0 18032 11dfdd6 18031->18032 18035 11dda1c 18032->18035 18034 11dfde2 18036 11dda11 18035->18036 18037 11dda54 SetWindowLongW 18036->18037 18038 11dfee7 18037->18038 18038->18034 18039 11d92f0 18042 11d93e8 18039->18042 18040 11d92ff 18043 11d93fb 18042->18043 18044 11d9413 18043->18044 18050 11d9670 18043->18050 18054 11d9660 18043->18054 18044->18040 18045 11d940b 18045->18044 18046 11d9610 GetModuleHandleW 18045->18046 18047 11d963d 18046->18047 18047->18040 18051 11d9684 18050->18051 18053 11d96a9 18051->18053 18058 11d8768 18051->18058 18053->18045 18055 11d9684 18054->18055 18056 11d8768 LoadLibraryExW 18055->18056 18057 11d96a9 18055->18057 18056->18057 18057->18045 18059 11d9850 LoadLibraryExW 18058->18059 18061 11d98c9 18059->18061 18061->18053 17945 6270f28 17946 6270f38 17945->17946 17947 6270fa5 17946->17947 17949 6271470 17946->17949 17953 6271490 17949->17953 17959 62714a0 17949->17959 17950 627148e 17950->17947 17954 62714ad 17953->17954 17955 62714b1 17953->17955 17954->17950 17965 627169e 17955->17965 17970 62716b8 17955->17970 17960 62714ad 17959->17960 17961 62714b1 17959->17961 17960->17950 17963 627169e 2 API calls 17961->17963 17964 62716b8 2 API calls 17961->17964 17962 62714d1 17962->17950 17963->17962 17964->17962 17966 62716b8 17965->17966 17975 11dedef 17966->17975 17980 11dee00 17966->17980 17971 62716c0 17970->17971 17973 11dedef 2 API calls 17971->17973 17974 11dee00 2 API calls 17971->17974 17972 62714d1 17972->17950 17973->17972 17974->17972 17976 11dee2a 17975->17976 17977 11deed1 17976->17977 17985 11dfba8 17976->17985 17988 11dfb61 17976->17988 17981 11dee2a 17980->17981 17982 11deed1 17981->17982 17983 11dfba8 CreateWindowExW 17981->17983 17984 11dfb61 2 API calls 17981->17984 17983->17982 17984->17982 17986 11dfbdd 17985->17986 17996 11dda04 17985->17996 17986->17977 17989 11dfbe6 CreateWindowExW 17988->17989 17990 11dfb8a 17988->17990 17995 11dfd1c 17989->17995 17990->17989 17991 11dfbae 17990->17991 17992 11dda04 CreateWindowExW 17991->17992 17993 11dfbdd 17992->17993 17993->17977 17995->17995 17997 11dfbf8 CreateWindowExW 17996->17997 17999 11dfd1c 17997->17999 18000 11dfe02 18001 11dfe19 18000->18001 18002 11dfe25 18001->18002 18004 11dda3c SetWindowLongW 18001->18004 18003 11dfe28 18002->18003 18005 11dda3c SetWindowLongW 18002->18005 18009 11dda54 18002->18009 18014 11dda48 18002->18014 18023 11dd999 18002->18023 18004->18002 18005->18003 18010 11dda2d 18009->18010 18010->18010 18011 11dfe40 SetWindowLongW 18010->18011 18013 11dda11 18010->18013 18012 11dfeac 18011->18012 18012->18003 18013->18003 18016 11dda2d 18014->18016 18015 11ddaa9 18016->18015 18017 11dda38 SetWindowLongW 18016->18017 18020 11dda11 18016->18020 18019 11dfeac 18017->18019 18019->18003 18021 11dda54 SetWindowLongW 18020->18021 18022 11dfee7 18021->18022 18022->18003 18024 11dd99e 18023->18024 18025 11dda38 SetWindowLongW 18024->18025 18028 11dd9fe 18024->18028 18027 11dfeac 18025->18027 18027->18003 18029 11dda54 SetWindowLongW 18028->18029 18030 11dfee7 18029->18030 18030->18003

                                                      Executed Functions

                                                      Function 06270040 Relevance: .6, Instructions: 604COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.809754632.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_6270000_CasPol.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 99394b9ed3a2f60901cdeae688442c615e18ec9ead88ca61df109c71c6ff69ff
                                                      • Instruction ID: 813680c1b69194d306120ef937a16c3879e5d404a593d035f1f1468ef4434b2c
                                                      • Opcode Fuzzy Hash: 99394b9ed3a2f60901cdeae688442c615e18ec9ead88ca61df109c71c6ff69ff
                                                      • Instruction Fuzzy Hash: C4426BB1A10605CFDB54CF59C484AAEBBF2FF88310B158969D81AAB751DB30F885CF94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06273558 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 6273558-6273574 1 6273576-6273587 0->1 2 627358a-62735eb 0->2 11 62735f9-6273683 2->11 12 62735c8-62735f7 2->12 18 6273685-627368f 11->18 19 62736bc-62736ef 11->19 18->19 20 6273691-6273693 18->20 28 62736f7-6273748 DnsQuery_A 19->28 23 62736b6-62736b9 20->23 24 6273695-627369f 20->24 23->19 25 62736a3-62736b2 24->25 26 62736a1 24->26 25->25 27 62736b4 25->27 26->25 27->23 29 6273751-627379e 28->29 30 627374a-6273750 28->30 35 62737a0-62737a4 29->35 36 62737ae-62737b2 29->36 30->29 35->36 37 62737a6 35->37 38 62737b4-62737b7 36->38 39 62737c1-62737c5 36->39 37->36 38->39 40 62737c7-62737d3 39->40 41 62737d6 39->41 40->41 43 62737d7 41->43 43->43
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.809754632.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_6270000_CasPol.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dce1fb37dd965b7f98bd7dab0aadcd643d3756d01467f919dcfac5ad98bddda0
                                                      • Instruction ID: 04fa7fbdee27faeefbe2115ecfa39dfaa4bafaa09e7aa70f67186eaa6e1a27f1
                                                      • Opcode Fuzzy Hash: dce1fb37dd965b7f98bd7dab0aadcd643d3756d01467f919dcfac5ad98bddda0
                                                      • Instruction Fuzzy Hash: 358156B1D1020ADFDB50CFA9D880ADEBBB5FF48314F20812AD815AB250DB75A949CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011D93E8 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 44 11d93e8-11d93fd call 11d8704 47 11d93ff 44->47 48 11d9413-11d9417 44->48 100 11d9405 call 11d9670 47->100 101 11d9405 call 11d9660 47->101 49 11d9419-11d9423 48->49 50 11d942b-11d946c 48->50 49->50 55 11d946e-11d9476 50->55 56 11d9479-11d9487 50->56 51 11d940b-11d940d 51->48 52 11d9548-11d9608 51->52 93 11d960a-11d960d 52->93 94 11d9610-11d963b GetModuleHandleW 52->94 55->56 58 11d9489-11d948e 56->58 59 11d94ab-11d94ad 56->59 61 11d9499 58->61 62 11d9490-11d9497 call 11d8710 58->62 60 11d94b0-11d94b7 59->60 65 11d94b9-11d94c1 60->65 66 11d94c4-11d94cb 60->66 64 11d949b-11d94a9 61->64 62->64 64->60 65->66 69 11d94cd-11d94d5 66->69 70 11d94d8-11d94e1 call 11d8720 66->70 69->70 75 11d94ee-11d94f3 70->75 76 11d94e3-11d94eb 70->76 77 11d94f5-11d94fc 75->77 78 11d9511-11d9515 75->78 76->75 77->78 80 11d94fe-11d950e call 11d8730 call 11d8740 77->80 98 11d9518 call 11d9968 78->98 99 11d9518 call 11d9940 78->99 80->78 82 11d951b-11d951e 85 11d9541-11d9547 82->85 86 11d9520-11d953e 82->86 86->85 93->94 95 11d963d-11d9643 94->95 96 11d9644-11d9658 94->96 95->96 98->82 99->82 100->51 101->51
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 011D962E
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.805143320.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_11d0000_CasPol.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 4e646e732859bf3f686b1df5c3d52b2f275ee83e5cdae2b00a7aa76fe1f8e9a5
                                                      • Instruction ID: 1e22e3eb466f6d6e00259464cafc1082d9c66e75d365c8d286c1378e8da643f2
                                                      • Opcode Fuzzy Hash: 4e646e732859bf3f686b1df5c3d52b2f275ee83e5cdae2b00a7aa76fe1f8e9a5
                                                      • Instruction Fuzzy Hash: 29712770A00B098FD768DF2AD54175ABBF5BF88318F008A2EE54AD7A51DB74E805CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011DFB61 Relevance: 1.7, APIs: 1, Instructions: 160COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 102 11dfb61-11dfb88 103 11dfbec-11dfc5e 102->103 104 11dfb8a-11dfbac 102->104 108 11dfc69-11dfc70 103->108 109 11dfc60-11dfc66 103->109 106 11dfbae-11dfbd8 call 11dda04 104->106 107 11dfbe6-11dfbea 104->107 113 11dfbdd-11dfbde 106->113 107->103 111 11dfc7b-11dfd1a CreateWindowExW 108->111 112 11dfc72-11dfc78 108->112 109->108 115 11dfd1c-11dfd22 111->115 116 11dfd23-11dfd5b 111->116 112->111 115->116 120 11dfd5d-11dfd60 116->120 121 11dfd68 116->121 120->121 122 11dfd69 121->122 122->122
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 011DFD0A
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.805143320.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_11d0000_CasPol.jbxd
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: a2d2ebb1f28f60429b18dfda850b595d9dfb6a6d2d62f3fd9c4054b0480ca4d1
                                                      • Instruction ID: f89dc621ff6ee38cdba154b36250264471292c19c6fc0fb71de46fc34c652675
                                                      • Opcode Fuzzy Hash: a2d2ebb1f28f60429b18dfda850b595d9dfb6a6d2d62f3fd9c4054b0480ca4d1
                                                      • Instruction Fuzzy Hash: D46122B2C04249AFCF06CF99D880ACEBFB1BF49314F19816AE419AB261D3759946CF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06273604 Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 151 6273604-6273683 153 6273685-627368f 151->153 154 62736bc-62736ef 151->154 153->154 155 6273691-6273693 153->155 162 62736f7-6273748 DnsQuery_A 154->162 157 62736b6-62736b9 155->157 158 6273695-627369f 155->158 157->154 159 62736a3-62736b2 158->159 160 62736a1 158->160 159->159 161 62736b4 159->161 160->159 161->157 163 6273751-627379e 162->163 164 627374a-6273750 162->164 169 62737a0-62737a4 163->169 170 62737ae-62737b2 163->170 164->163 169->170 171 62737a6 169->171 172 62737b4-62737b7 170->172 173 62737c1-62737c5 170->173 171->170 172->173 174 62737c7-62737d3 173->174 175 62737d6 173->175 174->175 177 62737d7 175->177 177->177
                                                      APIs
                                                      • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06273738
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.809754632.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_6270000_CasPol.jbxd
                                                      Similarity
                                                      • API ID: Query_
                                                      • String ID:
                                                      • API String ID: 428220571-0
                                                      • Opcode ID: 2ec1512421252c8ff54170ccf6ecf9646418073a64c640e215da1d9730eff638
                                                      • Instruction ID: 3593f92b7a5190688b3859b0bbf16010dac097c7a74f8fd2d09fcaa83846a568
                                                      • Opcode Fuzzy Hash: 2ec1512421252c8ff54170ccf6ecf9646418073a64c640e215da1d9730eff638
                                                      • Instruction Fuzzy Hash: 125133B1D10219DFCB50CFA9C984ADEBBB1FF48304F24812AE815BB250DB749985CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 062718FC Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 123 62718fc-6273683 126 6273685-627368f 123->126 127 62736bc-6273748 DnsQuery_A 123->127 126->127 128 6273691-6273693 126->128 136 6273751-627379e 127->136 137 627374a-6273750 127->137 130 62736b6-62736b9 128->130 131 6273695-627369f 128->131 130->127 132 62736a3-62736b2 131->132 133 62736a1 131->133 132->132 134 62736b4 132->134 133->132 134->130 142 62737a0-62737a4 136->142 143 62737ae-62737b2 136->143 137->136 142->143 144 62737a6 142->144 145 62737b4-62737b7 143->145 146 62737c1-62737c5 143->146 144->143 145->146 147 62737c7-62737d3 146->147 148 62737d6 146->148 147->148 150 62737d7 148->150 150->150
                                                      APIs
                                                      • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06273738
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.809754632.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_6270000_CasPol.jbxd
                                                      Similarity
                                                      • API ID: Query_
                                                      • String ID:
                                                      • API String ID: 428220571-0
                                                      • Opcode ID: 0ad6fcfde3e749d009683fcb0ffd619f12ba4b411f9bf007462abefd009226da
                                                      • Instruction ID: 0de4efef06b9020aa549faa7bc8d0c3fea6a0dfa602e72d4ed6205848784f1fa
                                                      • Opcode Fuzzy Hash: 0ad6fcfde3e749d009683fcb0ffd619f12ba4b411f9bf007462abefd009226da
                                                      • Instruction Fuzzy Hash: 385123B1D10219DFCB50CFA9C980ADEBBB5FF48304F20812AE815BB250DB759985CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011DD999 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 178 11dd999-11dd99c 179 11dd9fc 178->179 180 11dd99e-11dd9a3 178->180 181 11dda5c-11dda6e 179->181 182 11dd9fe-11dda0f 179->182 180->179 183 11dda59 181->183 184 11dda70-11dda73 181->184 185 11dda11-11dda20 182->185 183->181 186 11dda2d-11dda36 184->186 187 11dda75-11dda7f 184->187 188 11dda21-11dda26 185->188 186->188 189 11dda38-11dda43 186->189 190 11dda81-11dda96 187->190 188->185 196 11dda27-11dfee7 call 11dda54 188->196 191 11dfe40-11dfeaa SetWindowLongW 189->191 190->190 192 11dda98-11ddaa3 190->192 194 11dfeac-11dfeb2 191->194 195 11dfeb3-11dfec7 191->195 192->191 194->195
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.805143320.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_11d0000_CasPol.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7395c17b94a7fd70b194d3d1ffa199680f00f8d12e0efb7f5ee01c599976b430
                                                      • Instruction ID: 65bc4a65f5ea82df0c44373b4c8648df14c48b64e903176549c751889c720759
                                                      • Opcode Fuzzy Hash: 7395c17b94a7fd70b194d3d1ffa199680f00f8d12e0efb7f5ee01c599976b430
                                                      • Instruction Fuzzy Hash: FF4132B68083498FDB05CF98D8857DABFF8EF19310F09888AD944A7242D374A545CBB2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011DDA04 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 201 11dda04-11dfc5e 203 11dfc69-11dfc70 201->203 204 11dfc60-11dfc66 201->204 205 11dfc7b-11dfd1a CreateWindowExW 203->205 206 11dfc72-11dfc78 203->206 204->203 208 11dfd1c-11dfd22 205->208 209 11dfd23-11dfd5b 205->209 206->205 208->209 213 11dfd5d-11dfd60 209->213 214 11dfd68 209->214 213->214 215 11dfd69 214->215 215->215
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 011DFD0A
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.805143320.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_11d0000_CasPol.jbxd
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 78763f4c33a0788a87e522e563bd72cbe2f6c2a7f03ac9835f71a9a7905abc64
                                                      • Instruction ID: 8eb918923e19203cd830d4f0e3225e297842ec1bf48796883f080bc3126a99d4
                                                      • Opcode Fuzzy Hash: 78763f4c33a0788a87e522e563bd72cbe2f6c2a7f03ac9835f71a9a7905abc64
                                                      • Instruction Fuzzy Hash: B751B0B1D00709DFDB14CF9AD984ADEBBB5BF48310F24812AE819AB210D775A946CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011DFE02 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 216 11dfe02-11dfe17 217 11dfe1d-11dfe1f 216->217 218 11dfe19-11dfe1b 216->218 219 11dfe25 217->219 220 11dfe21-11dfe23 call 11dda3c 217->220 218->217 221 11dfe28-11dfe29 219->221 223 11dfe27 call 11dda3c 219->223 224 11dfe27 call 11dd999 219->224 225 11dfe27 call 11dda48 219->225 226 11dfe27 call 11dda54 219->226 220->219 223->221 224->221 225->221 226->221
                                                      APIs
                                                      • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,011DFE28,?,?,?,?), ref: 011DFE9D
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.805143320.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_11d0000_CasPol.jbxd
                                                      Similarity
                                                      • API ID: LongWindow
                                                      • String ID:
                                                      • API String ID: 1378638983-0
                                                      • Opcode ID: e4a0e524ba3476c3035f378bd82a47116db030a1862e45b12e29283cc7ab8374
                                                      • Instruction ID: d2983f2e61ed58247fbe26a5171cbe98a63c1e1a3e3e5c83c707cd9015a7fcdd
                                                      • Opcode Fuzzy Hash: e4a0e524ba3476c3035f378bd82a47116db030a1862e45b12e29283cc7ab8374
                                                      • Instruction Fuzzy Hash: B621A9B6800209DFCB01CF95EA84BCABBF4EF08314F09844AE455B7252D334A905CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011DA14C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 227 11da14c-11dbd94 DuplicateHandle 229 11dbd9d-11dbdba 227->229 230 11dbd96-11dbd9c 227->230 230->229
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,011DBCC6,?,?,?,?,?), ref: 011DBD87
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.805143320.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_11d0000_CasPol.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 4cafd7a929b499478c028146a59e1079bb5e9e2e0f7013bc16d8f8e2b182870a
                                                      • Instruction ID: 733462f3cf1df89b6ac9c360331dc574f2dbcdae75f6837eb5d63fb56280d6c7
                                                      • Opcode Fuzzy Hash: 4cafd7a929b499478c028146a59e1079bb5e9e2e0f7013bc16d8f8e2b182870a
                                                      • Instruction Fuzzy Hash: 4721E6B59006189FDB10CF9AD584ADEBFF9EB48324F14801AE955B3310D378A944CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011DBCF9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 233 11dbcf9-11dbd94 DuplicateHandle 234 11dbd9d-11dbdba 233->234 235 11dbd96-11dbd9c 233->235 235->234
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,011DBCC6,?,?,?,?,?), ref: 011DBD87
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.805143320.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_11d0000_CasPol.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: c43aee8d9659680b5620d19b3bda5fe22357ad531304e34a5249a7289c9254f6
                                                      • Instruction ID: 4a412eadcdf01b0ac776dc4ca5675cd9f7ae2c4d85f9f5374ce20e40505ac671
                                                      • Opcode Fuzzy Hash: c43aee8d9659680b5620d19b3bda5fe22357ad531304e34a5249a7289c9254f6
                                                      • Instruction Fuzzy Hash: 6A21E3B59002189FDB10CFAAD584ADEBFF9EF08324F14841AE959B3210D378A944CF65
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011D8768 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 238 11d8768-11d9890 240 11d9898-11d98c7 LoadLibraryExW 238->240 241 11d9892-11d9895 238->241 242 11d98c9-11d98cf 240->242 243 11d98d0-11d98ed 240->243 241->240 242->243
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,011D96A9,00000800,00000000,00000000), ref: 011D98BA
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.805143320.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_11d0000_CasPol.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: f72851aa035b7216e26c633bb40a7bf1204fabdb3fc54435611b18cbaef02fa9
                                                      • Instruction ID: 3b4cd26472e52a78610bfb6ee11cdf19ba989a896e2003c9bf1f3bb2dd6bf6a0
                                                      • Opcode Fuzzy Hash: f72851aa035b7216e26c633bb40a7bf1204fabdb3fc54435611b18cbaef02fa9
                                                      • Instruction Fuzzy Hash: A41133B6C002088FDB14CF9AC484ADEBBF8EB48724F10842AE519B7600C374A944CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011D9849 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 246 11d9849-11d9890 247 11d9898-11d98c7 LoadLibraryExW 246->247 248 11d9892-11d9895 246->248 249 11d98c9-11d98cf 247->249 250 11d98d0-11d98ed 247->250 248->247 249->250
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,011D96A9,00000800,00000000,00000000), ref: 011D98BA
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.805143320.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_11d0000_CasPol.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: cfb7fcba5fc8babcab962c98c3c140d14ca59f9e63b2e0c95e5f4edf7599eb90
                                                      • Instruction ID: 44c0b18264ec232f75c5801c110720169ef9ab9a2d2f4ca031aa1ac3caa10fef
                                                      • Opcode Fuzzy Hash: cfb7fcba5fc8babcab962c98c3c140d14ca59f9e63b2e0c95e5f4edf7599eb90
                                                      • Instruction Fuzzy Hash: E2111FB6D002098FDB14CF9AC584BDEBBF8EB58324F14842AD529B7600C378A645CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011D95C8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 253 11d95c8-11d9608 254 11d960a-11d960d 253->254 255 11d9610-11d963b GetModuleHandleW 253->255 254->255 256 11d963d-11d9643 255->256 257 11d9644-11d9658 255->257 256->257
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 011D962E
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.805143320.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_11d0000_CasPol.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 74ce191652cbd51c779e3ea6b0363a08b551e5de3ba2dc16f6f361a30a1cc233
                                                      • Instruction ID: c9819ce82f76df2d59770ce0822e050a22b13cd6d58f97ad658f37651772af81
                                                      • Opcode Fuzzy Hash: 74ce191652cbd51c779e3ea6b0363a08b551e5de3ba2dc16f6f361a30a1cc233
                                                      • Instruction Fuzzy Hash: 321113B6C002098FDB14CF9AC544ADEFBF4EF48324F14851AD429B7600C378A545CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011DDA3C Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 259 11dda3c-11dfeaa SetWindowLongW 261 11dfeac-11dfeb2 259->261 262 11dfeb3-11dfec7 259->262 261->262
                                                      APIs
                                                      • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,011DFE28,?,?,?,?), ref: 011DFE9D
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.805143320.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_11d0000_CasPol.jbxd
                                                      Similarity
                                                      • API ID: LongWindow
                                                      • String ID:
                                                      • API String ID: 1378638983-0
                                                      • Opcode ID: c811c3e5fa416dc684bd8f35385e0df6de390eef18166d90775e14f7b93bac57
                                                      • Instruction ID: b7c3c07563f4429cc8e716f5c009a90a7d1acff2941d68805f20099b987f2333
                                                      • Opcode Fuzzy Hash: c811c3e5fa416dc684bd8f35385e0df6de390eef18166d90775e14f7b93bac57
                                                      • Instruction Fuzzy Hash: 821133B58002598FDB20CF8AD584BDFBBF8EB48324F10841AE919B7301C374AA45CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 011DE480 Relevance: .3, Instructions: 315COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.805143320.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_11d0000_CasPol.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 23977629a576822a0491f304c849195b30700a0271f489430ca1e0a6db515163
                                                      • Instruction ID: fe221b1b6f104b5a96a5fba01721250827935ed769686f85c0863a256588f0d7
                                                      • Opcode Fuzzy Hash: 23977629a576822a0491f304c849195b30700a0271f489430ca1e0a6db515163
                                                      • Instruction Fuzzy Hash: 4F12D6B1C11746CBE7BADF65E8881893BA3B745328B904328D2711BAD9D7F815CACF44
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011DBBD4 Relevance: .3, Instructions: 265COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.805143320.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_11d0000_CasPol.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 070f5e0111dd82f0145f3cffeaf66507c5fc9e3def01b36faea84f6aba2852d9
                                                      • Instruction ID: 684feecea9b291a828ad6b20e1d49a084e58fffda838bab5da2a0a951537d8e7
                                                      • Opcode Fuzzy Hash: 070f5e0111dd82f0145f3cffeaf66507c5fc9e3def01b36faea84f6aba2852d9
                                                      • Instruction Fuzzy Hash: 0CA1AE36E0061A8FCF19DFB9D8845DDBBF2FF85304B15816AE905BB260EB71A945CB40
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011DE471 Relevance: .2, Instructions: 221COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.805143320.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_11d0000_CasPol.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e1ce55bbb3375f7c4e2f6c246de5f5c66ba6af69f536565f40591b6c369bdd04
                                                      • Instruction ID: 96838ece31d88f050f8a2c9c125dea947a808159893ed1d6590a2942cbc1c905
                                                      • Opcode Fuzzy Hash: e1ce55bbb3375f7c4e2f6c246de5f5c66ba6af69f536565f40591b6c369bdd04
                                                      • Instruction Fuzzy Hash: BBC109B1C11746CBD7AADF65E8881893BA3BB85328F504328D1712B6D9D7F814CACF94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Executed Functions

                                                      Function 02C60958 Relevance: 2.9, Strings: 1, Instructions: 1631COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.575408200.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_2c60000_dhcpmon.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: P
                                                      • API String ID: 0-3110715001
                                                      • Opcode ID: 8cd15128952ce89866e772074b5afb84aae20aa5a88bcdc591c6228175ef09e3
                                                      • Instruction ID: 179226fee5a0b8b72947689e43113009232699ac41838a5a4ca54a9750631143
                                                      • Opcode Fuzzy Hash: 8cd15128952ce89866e772074b5afb84aae20aa5a88bcdc591c6228175ef09e3
                                                      • Instruction Fuzzy Hash: 4932B1316002058FDB15EF64D898A7DBBB2FF84311F1684A9E516DB3A2DB74EC42CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02C6094C Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.575408200.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_2c60000_dhcpmon.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: P
                                                      • API String ID: 0-3110715001
                                                      • Opcode ID: bcd9157e3f793ab446bfb36535409df01f60bcbecdbfce6d3dfcffa288907040
                                                      • Instruction ID: 6eef91ca2daed65cf6cb680432589209030bfc7bc0404c85259d4a6c1058fe79
                                                      • Opcode Fuzzy Hash: bcd9157e3f793ab446bfb36535409df01f60bcbecdbfce6d3dfcffa288907040
                                                      • Instruction Fuzzy Hash: 97418131B11215DFDB14CBA8C494BAEB7B2FF88704F14866DE016AB391DB71AD42CB80
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02C602DC Relevance: .2, Instructions: 248COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.575408200.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_2c60000_dhcpmon.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e11f1cf0fba08d81872f8cb428210e6ba7b41577e1582c1465d3b32420528556
                                                      • Instruction ID: 3ac889f67b3862ea42fb22bb33832300b0be64acf8709011677ac60783c2725b
                                                      • Opcode Fuzzy Hash: e11f1cf0fba08d81872f8cb428210e6ba7b41577e1582c1465d3b32420528556
                                                      • Instruction Fuzzy Hash: 7E31B170A052C8EFD716EFA9D840749BFB3ABD5300F14C4AAD444D7269EA341D15DB22
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02C60708 Relevance: .1, Instructions: 108COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.575408200.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_2c60000_dhcpmon.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2faf19a13995a45465388f2f50fabf0419d852ba1c10fa86682cf833f1a2806a
                                                      • Instruction ID: f5ad9dd92640e1d8a4f571c15c83eb313376e0a741ffba9cda9faf09327ef26c
                                                      • Opcode Fuzzy Hash: 2faf19a13995a45465388f2f50fabf0419d852ba1c10fa86682cf833f1a2806a
                                                      • Instruction Fuzzy Hash: 49416074B10605DFCB18EBB0E898B6E77B6BF88700B108429F502A7764EF309D41DB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02C60718 Relevance: .1, Instructions: 104COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.575408200.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_2c60000_dhcpmon.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5f2abeb07d662fba4f715c61a013a61f2d7d90f3ab7b8e419e14b3343ba5442b
                                                      • Instruction ID: d902ff3970d18b4cb6e4f1bf8ed4ce1f65479986cb8c329cb1d2c0ffacdd64c9
                                                      • Opcode Fuzzy Hash: 5f2abeb07d662fba4f715c61a013a61f2d7d90f3ab7b8e419e14b3343ba5442b
                                                      • Instruction Fuzzy Hash: BB415178B10205DFCB18EBB4E898B6E77B6BF88700B108519F506A7764EF30AD41DB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02C60C40 Relevance: .1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.575408200.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_2c60000_dhcpmon.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 341383182839e2f8b13a90ddb53a50f0b1f185bca4169ead3bc62857abfd3b00
                                                      • Instruction ID: bce36e1281ca43488f364585bf819ed3e66286b246f46991b48f1f99df194359
                                                      • Opcode Fuzzy Hash: 341383182839e2f8b13a90ddb53a50f0b1f185bca4169ead3bc62857abfd3b00
                                                      • Instruction Fuzzy Hash: C131E834A042889FCB15EB78D8649AF7FB1AF85310F1080AEE445DB392DA389D05CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02C60C50 Relevance: .1, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.575408200.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_2c60000_dhcpmon.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 45f2391e5cafd1371d9aea949f106b0169383d991ef2e644e33fca284dcc47b3
                                                      • Instruction ID: f36de0c25aa19c40603df4cb112f0baf90dfbb434c86a9b1900a14c099f78d00
                                                      • Opcode Fuzzy Hash: 45f2391e5cafd1371d9aea949f106b0169383d991ef2e644e33fca284dcc47b3
                                                      • Instruction Fuzzy Hash: 0731C474A002489FCB05EFB8D854AAF7FB2EF89310F1080AEE505D7351DA349E05DBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02C60AF0 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.575408200.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_2c60000_dhcpmon.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e36644e69ba8f56861a9355ba507786ab073d3d0f1263e0e182a0524ed913ad4
                                                      • Instruction ID: a81cc276b41a3e62e5f2c456f6a2a0d83d6d05a7d1934922c17d09f1e07c2c71
                                                      • Opcode Fuzzy Hash: e36644e69ba8f56861a9355ba507786ab073d3d0f1263e0e182a0524ed913ad4
                                                      • Instruction Fuzzy Hash: C42144303042429FCB25ABB9D88472A7BE4EFC6314B1584AAD454CB392EE74DC46CB50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02C60448 Relevance: .1, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.575408200.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_2c60000_dhcpmon.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8da795969e7152885c549e6238638d3b5bafb69b195002b6a2ba4643d43b4f88
                                                      • Instruction ID: 01182c6b10aeeb2e259c5dd1dbc2b9a1f02bf07f4d8b463d198825c3555c32ba
                                                      • Opcode Fuzzy Hash: 8da795969e7152885c549e6238638d3b5bafb69b195002b6a2ba4643d43b4f88
                                                      • Instruction Fuzzy Hash: AF217174A01688EFD709FFAAD940749BFF7ABC8300F10C469A80493368EE746955DB55
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02C60600 Relevance: .1, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.575408200.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_2c60000_dhcpmon.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cd4def62f37a33ecbec1946e3d9147f5227caee140c2f385585b518ed96d333a
                                                      • Instruction ID: 476f4ae7b4cf263521107c7a061187a2d15811d1c7cee110ee7843cb47569d37
                                                      • Opcode Fuzzy Hash: cd4def62f37a33ecbec1946e3d9147f5227caee140c2f385585b518ed96d333a
                                                      • Instruction Fuzzy Hash: 8511E9757002118FC759EB78D498A2D37E6AFC965536105A8E406CF3B2DE36EC42CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02C6086F Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.575408200.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_2c60000_dhcpmon.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1945d20124f5ad676950a80db229f5534af6be420ab40c83ecf773221bda3be9
                                                      • Instruction ID: a148ed8bc7558868886f1bd5c7ffcf4709a3f46ef02bdb69f21bc616284b2805
                                                      • Opcode Fuzzy Hash: 1945d20124f5ad676950a80db229f5534af6be420ab40c83ecf773221bda3be9
                                                      • Instruction Fuzzy Hash: D811B774E01209DFDB18EBA0E9A9B6D7BB2BF88215F208429E512E7664DF309D01DF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02C60569 Relevance: .0, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.575408200.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_2c60000_dhcpmon.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6c744be7db2f6b4b39419e41cae0d61c752f47e1e0221bce044915bcffae5da6
                                                      • Instruction ID: e9475080e8cbab356f83ff59019671fc688f9db60ecdd2cd1b0b45c658b04c93
                                                      • Opcode Fuzzy Hash: 6c744be7db2f6b4b39419e41cae0d61c752f47e1e0221bce044915bcffae5da6
                                                      • Instruction Fuzzy Hash: D2016D72D04619DFCB64EF78EC48A6E7BB1BB44310B11856AE416D72A0DB74D901DF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02C60578 Relevance: .0, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.575408200.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_2c60000_dhcpmon.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 836abe1ed2c1191e64b8cf4f8e7bdf613b506a98a502e6eef0af608e6be8622d
                                                      • Instruction ID: 7d3aebb2a61ffb653094d6efad165ea0beabab91e8211c03da7a09b6750bd45d
                                                      • Opcode Fuzzy Hash: 836abe1ed2c1191e64b8cf4f8e7bdf613b506a98a502e6eef0af608e6be8622d
                                                      • Instruction Fuzzy Hash: 33018171900618DFCB58EFB8D84C66E7BB5FB44311B11856AE416D32A0DB70D902DF94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%