Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NA.exe

Overview

General Information

Sample Name:NA.exe
Analysis ID:881404
MD5:6c432a8b26bc0e068f23e88f69c0f565
SHA1:318fdcf5ba0a326bf6601e1f917f9aa16645d9ca
SHA256:0b525aaa05e206258e8e98f05fcc621a0c8d4df69138970a1447e57d157c6331
Tags:exe
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Antivirus detection for URL or domain
Yara detected Nanocore RAT
Writes to foreign memory regions
.NET source code references suspicious native API functions
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • NA.exe (PID: 1544 cmdline: C:\Users\user\Desktop\NA.exe MD5: 6C432A8B26BC0E068F23E88F69C0F565)
    • CasPol.exe (PID: 5528 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
  • dhcpmon.exe (PID: 4584 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: F866FC1C2E928779C7119353C3091F0C)
    • conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Nanocore RAT, NanoCoreNanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.
  • APT33
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "954449b5-566c-46fe-92f0-8eb82a7f", "Group": "Cashout", "Domain1": "ezemnia3.ddns.net", "Domain2": "91.193.75.178", "Port": 62335, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
  • 0xe38:$x2: NanoCore.ClientPlugin
  • 0xe75:$x3: NanoCore.ClientPluginHost
  • 0xe5a:$i1: IClientApp
  • 0xe4e:$i2: IClientData
  • 0xe29:$i3: IClientNetwork
  • 0xec3:$i4: IClientAppHost
  • 0xe65:$i5: IClientDataHost
  • 0xeb0:$i6: IClientLoggingHost
  • 0xe8f:$i7: IClientNetworkHost
  • 0xea2:$i8: IClientUIHost
  • 0xed2:$i9: IClientNameObjectCollection
  • 0xef7:$i10: IClientReadOnlyNameObjectCollection
  • 0xe41:$s1: ClientPlugin
  • 0x177c:$s1: ClientPlugin
  • 0x1789:$s1: ClientPlugin
  • 0x11f9:$s6: get_ClientSettings
  • 0x1249:$s7: get_Connected
00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
  • 0xe75:$a1: NanoCore.ClientPluginHost
  • 0xe38:$a2: NanoCore.ClientPlugin
  • 0x120c:$b1: get_BuilderSettings
  • 0xec3:$b4: IClientAppHost
  • 0x127d:$b6: AddHostEntry
  • 0x12ec:$b7: LogClientException
  • 0x1261:$b8: PipeExists
  • 0xeb0:$b9: IClientLoggingHost
00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Click to see the 29 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
1.2.CasPol.exe.5ce0000.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
1.2.CasPol.exe.5ce0000.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
1.2.CasPol.exe.5ce0000.5.raw.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
  • 0xe38:$x2: NanoCore.ClientPlugin
  • 0xe75:$x3: NanoCore.ClientPluginHost
  • 0xe5a:$i1: IClientApp
  • 0xe4e:$i2: IClientData
  • 0xe29:$i3: IClientNetwork
  • 0xec3:$i4: IClientAppHost
  • 0xe65:$i5: IClientDataHost
  • 0xeb0:$i6: IClientLoggingHost
  • 0xe8f:$i7: IClientNetworkHost
  • 0xea2:$i8: IClientUIHost
  • 0xed2:$i9: IClientNameObjectCollection
  • 0xef7:$i10: IClientReadOnlyNameObjectCollection
  • 0xe41:$s1: ClientPlugin
  • 0x177c:$s1: ClientPlugin
  • 0x1789:$s1: ClientPlugin
  • 0x11f9:$s6: get_ClientSettings
  • 0x1249:$s7: get_Connected
1.2.CasPol.exe.5ce0000.5.raw.unpackWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
  • 0xe75:$a1: NanoCore.ClientPluginHost
  • 0xe38:$a2: NanoCore.ClientPlugin
  • 0x120c:$b1: get_BuilderSettings
  • 0xec3:$b4: IClientAppHost
  • 0x127d:$b6: AddHostEntry
  • 0x12ec:$b7: LogClientException
  • 0x1261:$b8: PipeExists
  • 0xeb0:$b9: IClientLoggingHost
1.2.CasPol.exe.5d70000.6.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
  • 0xd9ad:$x1: NanoCore.ClientPluginHost
  • 0xd9da:$x2: IClientNetworkHost
Click to see the 57 entries

Sigma Signatures

AV Detection

barindex
Sigma detected: NanoCore
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 5528, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

barindex
Sigma detected: NanoCore
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 5528, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Stealing of Sensitive Information

barindex
Sigma detected: NanoCore
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 5528, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality

barindex
Sigma detected: NanoCore
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 5528, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Found malware configuration
Source: 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "954449b5-566c-46fe-92f0-8eb82a7f", "Group": "Cashout", "Domain1": "ezemnia3.ddns.net", "Domain2": "91.193.75.178", "Port": 62335, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Multi AV Scanner detection for submitted file
Source: NA.exeReversingLabs: Detection: 29%
Antivirus detection for URL or domain
Source: 91.193.75.178Avira URL Cloud: Label: malware
Source: ezemnia3.ddns.netAvira URL Cloud: Label: malware
Yara detected Nanocore RAT
Source: Yara matchFile source: 1.2.CasPol.exe.5d70000.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.NA.exe.1611043fd20.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3edff64.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3edb12e.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.5d70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.5d74629.7.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.NA.exe.1611043fd20.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3edff64.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3ee458d.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.651668667.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: NA.exe PID: 1544, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5528, type: MEMORYSTR
Machine Learning detection for sample
Source: NA.exeJoe Sandbox ML: detected
Source: NA.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: caspol.pdbdv source: CasPol.exe, 00000001.00000003.389904732.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.650649992.0000000000CAF000.00000004.00000020.00020000.00000000.sdmp, dhcpmon.exe, 00000004.00000000.414315300.0000000000C32000.00000002.00000001.01000000.00000006.sdmp, dhcpmon.exe.1.dr
Source: Binary string: caspol.pdb source: CasPol.exe, 00000001.00000003.389904732.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.650649992.0000000000CAF000.00000004.00000020.00020000.00000000.sdmp, dhcpmon.exe, 00000004.00000000.414315300.0000000000C32000.00000002.00000001.01000000.00000006.sdmp, dhcpmon.exe.1.dr
Source: Binary string: WINNERS.pdb source: NA.exe, 00000000.00000002.387087180.0000016100001000.00000004.00000800.00020000.00000000.sdmp, NA.exe, 00000000.00000002.388893091.0000016178BB0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: BHBhHuH.pdb source: NA.exe

Networking

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractorURLs: ezemnia3.ddns.net
Source: Malware configuration extractorURLs: 91.193.75.178
Uses dynamic DNS services
Source: unknownDNS query: name: ezemnia3.ddns.net
Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
Source: Joe Sandbox ViewASN Name: VCG-ASNG VCG-ASNG
Source: global trafficTCP traffic: 192.168.2.5:49693 -> 102.90.46.28:62335
Source: global trafficTCP traffic: 192.168.2.5:49713 -> 91.193.75.178:62335
Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
Source: CasPol.exe, 00000001.00000002.651668667.0000000002E91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: unknownDNS traffic detected: queries for: ezemnia3.ddns.net
Source: CasPol.exe, 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

E-Banking Fraud

barindex
Yara detected Nanocore RAT
Source: Yara matchFile source: 1.2.CasPol.exe.5d70000.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.NA.exe.1611043fd20.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3edff64.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3edb12e.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.5d70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.5d74629.7.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.NA.exe.1611043fd20.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3edff64.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3ee458d.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.651668667.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: NA.exe PID: 1544, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5528, type: MEMORYSTR

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.CasPol.exe.5ce0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.CasPol.exe.5ce0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.CasPol.exe.5ce0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.CasPol.exe.5d70000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.CasPol.exe.5d70000.6.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.CasPol.exe.5d70000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NA.exe.1611043fd20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.NA.exe.1611043fd20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NA.exe.1611043fd20.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.NA.exe.1611043fd20.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.CasPol.exe.3edff64.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.CasPol.exe.3edff64.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.CasPol.exe.3edff64.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.CasPol.exe.3edb12e.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.CasPol.exe.3edb12e.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.CasPol.exe.3edb12e.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.CasPol.exe.3edb12e.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.CasPol.exe.5d70000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.CasPol.exe.5d70000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.CasPol.exe.5d70000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.CasPol.exe.5d74629.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.CasPol.exe.5d74629.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.CasPol.exe.5d74629.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NA.exe.1611043fd20.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.NA.exe.1611043fd20.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NA.exe.1611043fd20.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.NA.exe.1611043fd20.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.CasPol.exe.3edff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.CasPol.exe.3edff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.CasPol.exe.3edff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.CasPol.exe.3ee458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.CasPol.exe.3ee458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.CasPol.exe.3ee458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.CasPol.exe.2ebd01c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.CasPol.exe.2ebd01c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.CasPol.exe.2ebd01c.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
Source: 00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
Source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.651668667.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: NA.exe PID: 1544, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: NA.exe PID: 1544, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: NA.exe PID: 1544, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: CasPol.exe PID: 5528, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: CasPol.exe PID: 5528, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: CasPol.exe PID: 5528, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.CasPol.exe.5ce0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.5ce0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.5ce0000.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.CasPol.exe.5ce0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.CasPol.exe.5d70000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.5d70000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.5d70000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.CasPol.exe.5d70000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NA.exe.1611043fd20.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NA.exe.1611043fd20.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NA.exe.1611043fd20.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NA.exe.1611043fd20.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.NA.exe.1611043fd20.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.CasPol.exe.3edff64.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.3edff64.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.3edff64.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.CasPol.exe.3edff64.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.CasPol.exe.3edb12e.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.3edb12e.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.3edb12e.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.CasPol.exe.3edb12e.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.CasPol.exe.3edb12e.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.CasPol.exe.5d70000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.5d70000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.5d70000.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.CasPol.exe.5d70000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.CasPol.exe.5d74629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.5d74629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.5d74629.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.CasPol.exe.5d74629.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NA.exe.1611043fd20.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NA.exe.1611043fd20.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.NA.exe.1611043fd20.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NA.exe.1611043fd20.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.NA.exe.1611043fd20.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.CasPol.exe.3edff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.3edff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.3edff64.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.CasPol.exe.3edff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.CasPol.exe.3ee458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.3ee458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.3ee458d.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.CasPol.exe.3ee458d.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.CasPol.exe.2ebd01c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.2ebd01c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.CasPol.exe.2ebd01c.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.CasPol.exe.2ebd01c.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.651668667.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: NA.exe PID: 1544, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: NA.exe PID: 1544, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: NA.exe PID: 1544, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: CasPol.exe PID: 5528, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: CasPol.exe PID: 5528, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: CasPol.exe PID: 5528, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: C:\Users\user\Desktop\NA.exeCode function: 0_2_00007FF9A59508F00_2_00007FF9A59508F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_04FFE4801_2_04FFE480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_04FFE4711_2_04FFE471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_04FFBBD41_2_04FFBBD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_062400401_2_06240040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_013E09584_2_013E0958
Source: NA.exeStatic PE information: No import functions for PE file found
Source: NA.exe, 00000000.00000002.388691888.00000161788A0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBHBhHuH.exe0 vs NA.exe
Source: NA.exe, 00000000.00000002.387087180.0000016100001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWINNERS.dll0 vs NA.exe
Source: NA.exe, 00000000.00000002.388893091.0000016178BB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameWINNERS.dll0 vs NA.exe
Source: NA.exe, 00000000.00000002.388726593.00000161789BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs NA.exe
Source: NA.exeBinary or memory string: OriginalFilenameBHBhHuH.exe0 vs NA.exe
Source: NA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: NA.exeReversingLabs: Detection: 29%
Source: NA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\NA.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\NA.exe C:\Users\user\Desktop\NA.exe
Source: C:\Users\user\Desktop\NA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exeJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\NA.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NA.exe.logJump to behavior
Source: classification engineClassification label: mal100.troj.evad.winEXE@5/5@6/2
Source: 1.2.CasPol.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.CasPol.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.0.dhcpmon.exe.c30000.0.unpack, Microsoft.Tools.Caspol/caspol.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 4.0.dhcpmon.exe.c30000.0.unpack, Microsoft.Tools.Caspol/caspol.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: dhcpmon.exe.1.dr, Microsoft.Tools.Caspol/caspol.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: dhcpmon.exe.1.dr, Microsoft.Tools.Caspol/caspol.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: NA.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
Source: C:\Users\user\Desktop\NA.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{954449b5-566c-46fe-92f0-8eb82a7f77b0}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
Source: NA.exe, dg3ypDAonQcOidMs0w/WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
Source: NA.exe, dg3ypDAonQcOidMs0w/WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
Source: 1.2.CasPol.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.CasPol.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
Source: 1.2.CasPol.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: NA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: NA.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: NA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: caspol.pdbdv source: CasPol.exe, 00000001.00000003.389904732.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.650649992.0000000000CAF000.00000004.00000020.00020000.00000000.sdmp, dhcpmon.exe, 00000004.00000000.414315300.0000000000C32000.00000002.00000001.01000000.00000006.sdmp, dhcpmon.exe.1.dr
Source: Binary string: caspol.pdb source: CasPol.exe, 00000001.00000003.389904732.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.650649992.0000000000CAF000.00000004.00000020.00020000.00000000.sdmp, dhcpmon.exe, 00000004.00000000.414315300.0000000000C32000.00000002.00000001.01000000.00000006.sdmp, dhcpmon.exe.1.dr
Source: Binary string: WINNERS.pdb source: NA.exe, 00000000.00000002.387087180.0000016100001000.00000004.00000800.00020000.00000000.sdmp, NA.exe, 00000000.00000002.388893091.0000016178BB0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: BHBhHuH.pdb source: NA.exe

Data Obfuscation

barindex
.NET source code contains potential unpacker
Source: NA.exe, program.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.CasPol.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.CasPol.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
.NET source code contains method to dynamically call methods (often used by packers)
Source: NA.exe, dg3ypDAonQcOidMs0w/WP6RZJql8gZrNhVA9v.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: C:\Users\user\Desktop\NA.exeCode function: 0_2_00007FF9A595518F push dword ptr [ebp-16FFFFFFh]; ret 0_2_00007FF9A5955195
Source: NA.exeStatic PE information: 0xB53777FE [Wed May 5 18:54:54 2066 UTC]
Source: initial sampleStatic PE information: section name: .text entropy: 7.967009459127166
Source: NA.exe, dg3ypDAonQcOidMs0w/WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: '.cctor', 'co6c6Nm3PZwY0', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB', 'ubAof6RgCm', 'YpJoWsPi7X', 'BEVodWAYPB', 'gX8onkMSd7', 'PEXoCqmS4w'
Source: NA.exe, oRZtxCaSAYh6EEGEIZ/Idt5pgryuYoFVQiX6j.csHigh entropy of concatenated method names: 'fBNc6NmmIqQ1R', '.ctor', '.cctor', 'iNWIf2QpurvD6XMUt7', 'AZak8DBhxQL2VMNKLI', 'GMhD36hGpGqEJW2pxp', 'dgD7B6bvHp3vfThMay', 'T06nspdDH1qRC3iGuj', 'KKqDqEEle7bnmacEWX', 'EUf3IRcFoqdrtVdspF'
Source: 1.2.CasPol.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 1.2.CasPol.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Users\user\Desktop\NA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NA.exe TID: 5552Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4360Thread sleep time: -22136092888451448s >= -30000sJump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 576Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\NA.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 9716Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: foregroundWindowGot 1194Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\NA.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: CasPol.exe, 00000001.00000002.650649992.0000000000CEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\NA.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\NA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000Jump to behavior
Source: C:\Users\user\Desktop\NA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000Jump to behavior
Source: C:\Users\user\Desktop\NA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 420000Jump to behavior
Source: C:\Users\user\Desktop\NA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 422000Jump to behavior
Source: C:\Users\user\Desktop\NA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: B2F008Jump to behavior
.NET source code references suspicious native API functions
Source: NA.exe, dg3ypDAonQcOidMs0w/WP6RZJql8gZrNhVA9v.csReference to suspicious API methods: ('oGjoaYPPLS', 'GetProcAddress@kernel32'), ('H1sorrpiaP', 'LoadLibrary@kernel32')
Source: 1.2.CasPol.exe.400000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.csReference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\NA.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 protect: page execute and read and writeJump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\NA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\NA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exeJump to behavior
Source: CasPol.exe, 00000001.00000002.656888742.0000000005EDD000.00000004.00000010.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.651668667.000000000342B000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.651668667.0000000003042000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
Source: CasPol.exe, 00000001.00000002.651668667.0000000003022000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managerx
Source: CasPol.exe, 00000001.00000002.651668667.00000000033B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerHaFp
Source: C:\Users\user\Desktop\NA.exeQueries volume information: C:\Users\user\Desktop\NA.exe VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information

barindex
Yara detected Nanocore RAT
Source: Yara matchFile source: 1.2.CasPol.exe.5d70000.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.NA.exe.1611043fd20.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3edff64.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3edb12e.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.5d70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.5d74629.7.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.NA.exe.1611043fd20.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3edff64.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3ee458d.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.651668667.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: NA.exe PID: 1544, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5528, type: MEMORYSTR

Remote Access Functionality

barindex
Detected Nanocore Rat
Source: NA.exe, 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: NA.exe, 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: CasPol.exe, 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: CasPol.exe, 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: CasPol.exe, 00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: CasPol.exe, 00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: CasPol.exe, 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: CasPol.exe, 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: CasPol.exe, 00000001.00000002.651668667.0000000002E91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: CasPol.exe, 00000001.00000002.651668667.0000000002E91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara matchFile source: 1.2.CasPol.exe.5d70000.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.NA.exe.1611043fd20.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3edff64.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3edb12e.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.5d70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.5d74629.7.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.NA.exe.1611043fd20.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3edff64.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.3ee458d.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 1.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.651668667.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: NA.exe PID: 1544, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5528, type: MEMORYSTR

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Native API		Path Interception312
Process Injection		2
Masquerading		11
Input Capture		1
Security Software Discovery		Remote Services11
Input Capture		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools		LSASS Memory2
Process Discovery		Remote Desktop Protocol11
Archive Collected Data		Exfiltration Over Bluetooth1
Non-Standard Port		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
Virtualization/Sandbox Evasion		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
Remote Access Software		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)312
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureScheduled Transfer1
Non-Application Layer Protocol		SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets12
System Information Discovery		SSHKeyloggingData Transfer Size Limits21
Application Layer Protocol		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common1
Hidden Files and Directories		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items2
Obfuscated Files or Information		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job22
Software Packing		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
Timestomp		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
NA.exe30%ReversingLabsByteCode-MSIL.Trojan.Heracles
NA.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
91.193.75.178100%Avira URL Cloudmalware
ezemnia3.ddns.net100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
ezemnia3.ddns.net
102.90.46.28
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    ezemnia3.ddns.nettrue
    • Avira URL Cloud: malware
    		unknown
    91.193.75.178true
    • Avira URL Cloud: malware
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCasPol.exe, 00000001.00000002.651668667.0000000002E91000.00000004.00000800.00020000.00000000.sdmpfalse
      		high

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      91.193.75.178
      		unknownSerbia
      		209623DAVID_CRAIGGGtrue
      102.90.46.28
      		ezemnia3.ddns.netNigeria
      		29465VCG-ASNGtrue

      General Information

      Joe Sandbox Version:37.1.0 Beryl
      Analysis ID:881404
      Start date and time:2023-06-04 17:40:28 +02:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 7m 57s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:7
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample file name:NA.exe
      Detection:MAL
      Classification:mal100.troj.evad.winEXE@5/5@6/2
      EGA Information:
      • Successful, ratio: 33.3%
      HDC Information:
      • Successful, ratio: 55.1% (good quality ratio 49.8%)
      • Quality average: 64.2%
      • Quality standard deviation: 32.1%
      HCA Information:
      • Successful, ratio: 90%
      • Number of executed functions: 38
      • Number of non-executed functions: 1
      Cookbook Comments:
      • Found application associated with file extension: .exe

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
      • Excluded IPs from analysis (whitelisted): 23.0.174.114, 23.0.174.96, 23.0.174.106, 23.0.174.107, 23.0.174.112, 23.0.174.97, 23.0.174.104, 23.0.174.91, 23.0.174.98
      • Excluded domains from analysis (whitelisted): www.bing.com, e86303.dscx.akamaiedge.net, www.bing.com.edgekey.net, ctldl.windowsupdate.com, www-www.bing.com.trafficmanager.net
      • Execution Graph export aborted for target NA.exe, PID 1544 because it is empty
      • Execution Graph export aborted for target dhcpmon.exe, PID 4584 because it is empty
      • Not all processes where analyzed, report is missing behavior information
      • VT rate limit hit for: NA.exe

      Simulations

      Behavior and APIs

      TimeTypeDescription
      17:41:28API Interceptor1054x Sleep call for process: CasPol.exe modified
      17:41:30AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      91.193.75.178file.exeGet hashmaliciousNanocore, zgRATBrowse
        mona.lerioprovantageOrder25-10-2022.scr.exeGet hashmaliciousAveMaria, UACMeBrowse

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          ezemnia3.ddns.netfile.exeGet hashmaliciousNanocore, zgRATBrowse
          • 197.210.227.232

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          DAVID_CRAIGGGfile.exeGet hashmaliciousNanocore, zgRATBrowse
          • 91.193.75.178
          file.exeGet hashmaliciousAveMaria, UACMeBrowse
          • 91.193.75.154
          file.exeGet hashmaliciousAveMaria, UACMeBrowse
          • 91.193.75.154
          2023-05-25_LG#Ud654#Ud559_#Ud611#Ub825#Uc0ac_#Ud3c9#Uac00_#Uc694#Uccad#Uc790#Ub8cc#U00b7pdf.exeGet hashmaliciousRemcosBrowse
          • 91.193.75.231
          Order-POF561.jsGet hashmaliciousVjW0rm, AgentTeslaBrowse
          • 91.193.75.131
          OrderPO22170555823612pg.jsGet hashmaliciousWSHRat, VjW0rmBrowse
          • 91.193.75.131
          old outstanding .PDF.jsGet hashmaliciousWSHRat, VjW0rmBrowse
          • 91.193.75.131
          Confirmation_Slip.PDF.jsGet hashmaliciousWSHRat, VjW0rmBrowse
          • 91.193.75.131
          ORDERNO8499009.PDF.exeGet hashmaliciousAveMaria, UACMeBrowse
          • 91.193.75.134
          INVOICE.PDF.jsGet hashmaliciousWSHRat, VjW0rmBrowse
          • 91.193.75.131
          AWB#476587652.PDF.jsGet hashmaliciousVjW0rm, STRRATBrowse
          • 91.193.75.131
          NEW_PO#_230469008.jsGet hashmaliciousWSHRat, VjW0rmBrowse
          • 91.193.75.131
          TTE0009000.exeGet hashmaliciousRemcos, GuLoaderBrowse
          • 91.193.75.179
          790087654REWMPM.exeGet hashmaliciousRemcosBrowse
          • 91.193.75.179
          RHOP98765434567.exeGet hashmaliciousRemcosBrowse
          • 91.193.75.179
          HAWB#68564359.pdf.jsGet hashmaliciousWSHRat, VjW0rmBrowse
          • 91.193.75.131
          AWB#00756543.pdf.jsGet hashmaliciousWSHRat, VjW0rmBrowse
          • 91.193.75.131
          DATA SHEET.exeGet hashmaliciousAveMaria, UACMeBrowse
          • 91.193.75.142
          xyMxPOlHzrr7.exeGet hashmaliciousNjratBrowse
          • 91.193.75.234
          order_list.exeGet hashmaliciousNanocoreBrowse
          • 91.193.75.135
          VCG-ASNGfile.exeGet hashmaliciousNanocore, zgRATBrowse
          • 197.210.227.232
          85AIf1A9HL.elfGet hashmaliciousMirai, MoobotBrowse
          • 197.210.224.166
          oSa4mCa2to.elfGet hashmaliciousMirai, MoobotBrowse
          • 197.210.52.180
          ztXcSRBenJ.elfGet hashmaliciousMirai, MoobotBrowse
          • 41.206.0.64
          yR28mIJkTh.elfGet hashmaliciousMirai, MoobotBrowse
          • 197.210.224.161
          8i87E84xva.elfGet hashmaliciousMirai, MoobotBrowse
          • 197.210.224.168
          6AU1Y1X4Oy.elfGet hashmaliciousMirai, MoobotBrowse
          • 197.210.99.183
          RQsecy8d0u.elfGet hashmaliciousMirai, MoobotBrowse
          • 197.210.224.150
          etCjEgSqfA.elfGet hashmaliciousMirai, MoobotBrowse
          • 197.210.52.188
          XHe2PHQoBa.elfGet hashmaliciousMiraiBrowse
          • 102.91.233.49
          OqAiyoDGN2.elfGet hashmaliciousMirai, MoobotBrowse
          • 197.210.224.160
          G5QOCvRRrI.elfGet hashmaliciousMirai, MoobotBrowse
          • 197.210.52.191
          Proforma_Invoice.exeGet hashmaliciousRemcosBrowse
          • 197.210.84.20
          HCH8Siog9X.elfGet hashmaliciousMirai, MoobotBrowse
          • 197.210.99.197
          jBhmxU9F1H.elfGet hashmaliciousMirai, MoobotBrowse
          • 41.206.0.72
          b3kQMXltP6.elfGet hashmaliciousMirai, MoobotBrowse
          • 197.210.172.239
          2p710QCUte.elfGet hashmaliciousMirai, MoobotBrowse
          • 102.90.197.203
          rPJ9o3VWfD.elfGet hashmaliciousMirai, MoobotBrowse
          • 41.206.0.78
          x86.elfGet hashmaliciousMirai, MoobotBrowse
          • 197.210.170.1
          Ya10Y6d7wD.elfGet hashmaliciousMiraiBrowse
          • 102.90.150.248

          JA3 Fingerprints

          No context

          Dropped Files

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exefile.exeGet hashmaliciousNanocore, zgRATBrowse
            SecuriteInfo.com.Variant.Tedy.268270.10392.14925.exeGet hashmaliciousAgentTeslaBrowse
              RFQ12152022-CFASTENERS.exeGet hashmaliciousAgentTeslaBrowse
                SecuriteInfo.com.Win64.CrypterX-gen.29893.10701.exeGet hashmaliciousAgentTeslaBrowse
                  SecuriteInfo.com.W64.MSIL_Agent.EGC.gen.Eldorado.4749.1675.exeGet hashmaliciousAgentTeslaBrowse
                    SecuriteInfo.com.Variant.MSILHeracles.57647.31347.6402.exeGet hashmaliciousUnknownBrowse
                      SecuriteInfo.com.Win64.SpywareX-gen.8757.4281.exeGet hashmaliciousAgentTeslaBrowse
                        RFQ12182022-CFASTENERS.exeGet hashmaliciousAgentTeslaBrowse
                          a516b9a.exeGet hashmaliciousAgentTeslaBrowse
                            BL672802783628376927.xls.exeGet hashmaliciousAgentTeslaBrowse
                              COSU802638767087391028.xlsx.exeGet hashmaliciousAgentTeslaBrowse
                                lYLa9NxVxz.exeGet hashmaliciousAgentTeslaBrowse
                                  mHxIARlBs3.exeGet hashmaliciousAgentTeslaBrowse
                                    TaZ7s6VkLR.exeGet hashmaliciousAgentTeslaBrowse
                                      SecuriteInfo.com.Win64.TrojanX-gen.5439.21008.exeGet hashmaliciousAgentTeslaBrowse
                                        wssghmw9WY.exeGet hashmaliciousAgentTeslaBrowse
                                          SecuriteInfo.com.Win64.Evo-gen.7869.12301.exeGet hashmaliciousAgentTeslaBrowse
                                            QUOTATIONS#873622.exeGet hashmaliciousAgentTeslaBrowse
                                              MACHINE SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                                SecuriteInfo.com.W64.Agent.FIC.gen.Eldorado.1956.16034.exeGet hashmaliciousAgentTeslaBrowse

                                                  Created / dropped Files

                                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

                                                  Download File
                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):107624
                                                  Entropy (8bit):5.882571203162287
                                                  Encrypted:false
                                                  SSDEEP:1536:oSF7vA1hRqHixxMjlI34j8p2mdc/6A4vW/CU1RPMRVQJE:/A1hDPMip2mdcyA4vW/JRPMLQW
                                                  MD5:F866FC1C2E928779C7119353C3091F0C
                                                  SHA1:70D06064E2F12CFB10A82BC985F86F58EA7A4138
                                                  SHA-256:67F3FC243C58EEAE55BDDC22CE025B7841A89ACA2E201B999D8C0E4F07D177B8
                                                  SHA-512:B28B10801580726B85AB5F796EA26835648A3ACFBE1FBA95DFC687439B43FF9548BD3AB9EFC85D88FC071D232718BCFFAC614CC5BFF159173996A3D2AB22154D
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Joe Sandbox View:
                                                  • Filename: file.exe, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.Variant.Tedy.268270.10392.14925.exe, Detection: malicious, Browse
                                                  • Filename: RFQ12152022-CFASTENERS.exe, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.Win64.CrypterX-gen.29893.10701.exe, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.W64.MSIL_Agent.EGC.gen.Eldorado.4749.1675.exe, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.Variant.MSILHeracles.57647.31347.6402.exe, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.Win64.SpywareX-gen.8757.4281.exe, Detection: malicious, Browse
                                                  • Filename: RFQ12182022-CFASTENERS.exe, Detection: malicious, Browse
                                                  • Filename: a516b9a.exe, Detection: malicious, Browse
                                                  • Filename: BL672802783628376927.xls.exe, Detection: malicious, Browse
                                                  • Filename: COSU802638767087391028.xlsx.exe, Detection: malicious, Browse
                                                  • Filename: lYLa9NxVxz.exe, Detection: malicious, Browse
                                                  • Filename: mHxIARlBs3.exe, Detection: malicious, Browse
                                                  • Filename: TaZ7s6VkLR.exe, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.Win64.TrojanX-gen.5439.21008.exe, Detection: malicious, Browse
                                                  • Filename: wssghmw9WY.exe, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.Win64.Evo-gen.7869.12301.exe, Detection: malicious, Browse
                                                  • Filename: QUOTATIONS#873622.exe, Detection: malicious, Browse
                                                  • Filename: MACHINE SPECIFICATIONS.exe, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.W64.Agent.FIC.gen.Eldorado.1956.16034.exe, Detection: malicious, Browse
                                                  Reputation:moderate, very likely benign file
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...rX.Z..............0..X...........v... ........@.. ..............................Q.....`.................................<v..O.......$............f..h>...........u............................................... ............... ..H............text....V... ...X.................. ..`.rsrc...$............Z..............@..@.reloc...............d..............@..B................pv......H.......,...`...............xE...t......................................2~P....o....*.r...p(....*VrK..p(....s.....P...*..0.._.......~....:O....>.....%.rm..p...A...s......su....%.r...p...A...s....rm..p.su....%.r...p...B...s......su....%.r...p...B...s....r...p.su....%.r...p...C...s......su....%.r...p...C...s....r...p.su....%.r...p...D...s......su....%.r...p...D...s....r...p.su....%.r...p...E...s......su....%..r...p...E...s....r...p.su....%..r...p...F...s......su....%..r...p...F

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NA.exe.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\NA.exe
                                                  File Type:CSV text
                                                  Category:dropped
                                                  Size (bytes):226
                                                  Entropy (8bit):5.354940450065058
                                                  Encrypted:false
                                                  SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2wlAsDZiIv:Q3La/KDLI4MWuPTxAIv
                                                  MD5:B10E37251C5B495643F331DB2EEC3394
                                                  SHA1:25A5FFE4C2554C2B9A7C2794C9FE215998871193
                                                  SHA-256:8A6B926C70F8DCFD915D68F167A1243B9DF7B9F642304F570CE584832D12102D
                                                  SHA-512:296BC182515900934AA96E996FC48B565B7857801A07FEFA0D3D1E0C165981B266B084E344DB5B53041D1171F9C6708B4EE0D444906391C4FC073BCC23B92C37
                                                  Malicious:true
                                                  Reputation:high, very likely benign file
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

                                                  Download File
                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:modified
                                                  Size (bytes):42
                                                  Entropy (8bit):4.0050635535766075
                                                  Encrypted:false
                                                  SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                                  MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                                  SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                                  SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                                  SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                                  Malicious:false
                                                  Reputation:high, very likely benign file
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                                                  Download File
                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                  File Type:Non-ISO extended-ASCII text, with no line terminators, with escape sequences
                                                  Category:dropped
                                                  Size (bytes):8
                                                  Entropy (8bit):3.0
                                                  Encrypted:false
                                                  SSDEEP:3:yt:yt
                                                  MD5:E4A6D16D7F7D253314AEF24A15FBC92A
                                                  SHA1:8D34EBADE8A34A2C7393ED889B645FFFEC163048
                                                  SHA-256:8ECF592FB6C70B0DF6F5C97FDDF4560224D9FF38F30443B50EFED9A99DBA0A31
                                                  SHA-512:E4497B0F82D2E8D07308047409DA25CF15B838DB974E1E19BB15D29DCDC12631F16A9F2F0B35959F87874BF50433FAFC8C1434969736EFF833D27F5D82CB6332
                                                  Malicious:true
                                                  Preview:....]e.H

                                                  \Device\ConDrv

                                                  Download File
                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):486
                                                  Entropy (8bit):5.064987733454706
                                                  Encrypted:false
                                                  SSDEEP:12:z30U30b4BFNY8fNFquci7S1pE+DPOCN6+QOH5JyY:z3F3g4DO4UE+Tz5JB
                                                  MD5:30394F72BB157162F35A2DEB1F48BD1A
                                                  SHA1:66AD7D748F42C64E0698606A8F019D165DE657E8
                                                  SHA-256:133FABF0CD558FA3E5144E9EF35654FA0422F8424C6D5D82828B8D10EC9BA295
                                                  SHA-512:A93E12D6C9927403FE0E20B8A698B24007EBCCD53A29AD65428366C6CE3CED05E5F3AEFF1D46C7D9F174EAEAE5059F0B5D12353B6022965CDC5D187E45FA72E9
                                                  Malicious:false
                                                  Preview:Microsoft .NET Framework CasPol 4.7.3056.0..for Microsoft .NET Framework version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....WARNING: The .NET Framework does not apply CAS policy by default. Any settings shown or modified by CasPol will only ..affect applications that opt into using CAS policy. ....Please see http://go.microsoft.com/fwlink/?LinkId=131738 for more information. ......ERROR: Not enough arguments....For usage information, use 'caspol -?'..

                                                  Static File Info

                                                  General

                                                  File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.963481307928194
                                                  TrID:
                                                  • Win64 Executable GUI Net Framework (217006/5) 49.88%
                                                  • Win64 Executable GUI (202006/5) 46.43%
                                                  • Win64 Executable (generic) (12005/4) 2.76%
                                                  • Generic Win/DOS Executable (2004/3) 0.46%
                                                  • DOS Executable Generic (2002/1) 0.46%
                                                  File name:NA.exe
                                                  File size:775680
                                                  MD5:6c432a8b26bc0e068f23e88f69c0f565
                                                  SHA1:318fdcf5ba0a326bf6601e1f917f9aa16645d9ca
                                                  SHA256:0b525aaa05e206258e8e98f05fcc621a0c8d4df69138970a1447e57d157c6331
                                                  SHA512:1a57c2c54e51a4e9bc1abf375a10e87236c5136cbbca0920597ecbf7f0d3bae674cced351ee5794028f7e7e25982bcb3409fc36d6ccf41b9497bbdec03a19c7e
                                                  SSDEEP:12288:faNp9CFWv60PaT5zePZMjFkA1pniuSwgsAaQWKYt9VRd4li8i+3UQXGLPSPr3FbV:SNp9CFEa4RMjFhThyaJj+N66z3F8+sW
                                                  TLSH:51F42226BB93C772D90595B050B3051183F5D38A7637CA5B2D98A2DB0E673A0FF4AB4C
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....w7...............0.................. ....@...... ....................... ............`...@......@............... .....

                                                  File Icon

                                                  Icon Hash:90cececece8e8eb0

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x400000
                                                  Entrypoint Section:
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0xB53777FE [Wed May 5 18:54:54 2066 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:

                                                  Entrypoint Preview

                                                  Instruction
                                                  dec ebp
                                                  pop edx
                                                  nop
                                                  add byte ptr [ebx], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax+eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x598.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xbebd40x1c.text
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000xbcc200xbce00False0.9689594018861681data7.967009459127166IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0xc00000x5980x600False0.412109375data4.066824834379209IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountry
                                                  RT_VERSION0xc00a00x30cdata
                                                  RT_MANIFEST0xc03ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jun 4, 2023 17:41:29.846982956 CEST4969362335192.168.2.5102.90.46.28
                                                  Jun 4, 2023 17:41:32.860028028 CEST4969362335192.168.2.5102.90.46.28
                                                  Jun 4, 2023 17:41:38.861643076 CEST4969362335192.168.2.5102.90.46.28
                                                  Jun 4, 2023 17:41:49.086462975 CEST4971162335192.168.2.5102.90.46.28
                                                  Jun 4, 2023 17:41:52.096015930 CEST4971162335192.168.2.5102.90.46.28
                                                  Jun 4, 2023 17:41:58.112176895 CEST4971162335192.168.2.5102.90.46.28
                                                  Jun 4, 2023 17:42:07.524621010 CEST4971262335192.168.2.5102.90.46.28
                                                  Jun 4, 2023 17:42:10.535191059 CEST4971262335192.168.2.5102.90.46.28
                                                  Jun 4, 2023 17:42:16.535546064 CEST4971262335192.168.2.5102.90.46.28
                                                  Jun 4, 2023 17:42:26.428272009 CEST4971362335192.168.2.591.193.75.178
                                                  Jun 4, 2023 17:42:26.473097086 CEST623354971391.193.75.178192.168.2.5
                                                  Jun 4, 2023 17:42:26.974164963 CEST4971362335192.168.2.591.193.75.178
                                                  Jun 4, 2023 17:42:27.020880938 CEST623354971391.193.75.178192.168.2.5
                                                  Jun 4, 2023 17:42:27.536618948 CEST4971362335192.168.2.591.193.75.178
                                                  Jun 4, 2023 17:42:27.581342936 CEST623354971391.193.75.178192.168.2.5
                                                  Jun 4, 2023 17:42:31.600708008 CEST4971462335192.168.2.591.193.75.178
                                                  Jun 4, 2023 17:42:31.645589113 CEST623354971491.193.75.178192.168.2.5
                                                  Jun 4, 2023 17:42:32.146420002 CEST4971462335192.168.2.591.193.75.178
                                                  Jun 4, 2023 17:42:32.191236973 CEST623354971491.193.75.178192.168.2.5
                                                  Jun 4, 2023 17:42:32.693353891 CEST4971462335192.168.2.591.193.75.178
                                                  Jun 4, 2023 17:42:32.738332987 CEST623354971491.193.75.178192.168.2.5
                                                  Jun 4, 2023 17:42:36.741517067 CEST4971562335192.168.2.591.193.75.178
                                                  Jun 4, 2023 17:42:36.786386013 CEST623354971591.193.75.178192.168.2.5
                                                  Jun 4, 2023 17:42:37.287365913 CEST4971562335192.168.2.591.193.75.178
                                                  Jun 4, 2023 17:42:37.332129002 CEST623354971591.193.75.178192.168.2.5
                                                  Jun 4, 2023 17:42:37.849920034 CEST4971562335192.168.2.591.193.75.178
                                                  Jun 4, 2023 17:42:37.897248030 CEST623354971591.193.75.178192.168.2.5
                                                  Jun 4, 2023 17:42:41.953573942 CEST4971662335192.168.2.5102.90.46.28
                                                  Jun 4, 2023 17:42:44.962184906 CEST4971662335192.168.2.5102.90.46.28
                                                  Jun 4, 2023 17:42:50.973063946 CEST4971662335192.168.2.5102.90.46.28
                                                  Jun 4, 2023 17:43:01.282201052 CEST4971862335192.168.2.5102.90.46.28
                                                  Jun 4, 2023 17:43:04.286673069 CEST4971862335192.168.2.5102.90.46.28
                                                  Jun 4, 2023 17:43:10.287220001 CEST4971862335192.168.2.5102.90.46.28
                                                  Jun 4, 2023 17:43:19.976326942 CEST4971962335192.168.2.5102.90.46.28
                                                  Jun 4, 2023 17:43:22.975980997 CEST4971962335192.168.2.5102.90.46.28
                                                  Jun 4, 2023 17:43:28.980907917 CEST4971962335192.168.2.5102.90.46.28

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jun 4, 2023 17:41:29.799606085 CEST5029553192.168.2.58.8.8.8
                                                  Jun 4, 2023 17:41:29.835984945 CEST53502958.8.8.8192.168.2.5
                                                  Jun 4, 2023 17:41:49.048280001 CEST4917753192.168.2.58.8.8.8
                                                  Jun 4, 2023 17:41:49.084583044 CEST53491778.8.8.8192.168.2.5
                                                  Jun 4, 2023 17:42:07.508359909 CEST4972453192.168.2.58.8.8.8
                                                  Jun 4, 2023 17:42:07.523355007 CEST53497248.8.8.8192.168.2.5
                                                  Jun 4, 2023 17:42:41.917318106 CEST6145253192.168.2.58.8.8.8
                                                  Jun 4, 2023 17:42:41.952620983 CEST53614528.8.8.8192.168.2.5
                                                  Jun 4, 2023 17:43:01.252048016 CEST5148453192.168.2.58.8.8.8
                                                  Jun 4, 2023 17:43:01.280893087 CEST53514848.8.8.8192.168.2.5
                                                  Jun 4, 2023 17:43:19.947905064 CEST6344653192.168.2.58.8.8.8
                                                  Jun 4, 2023 17:43:19.974457026 CEST53634468.8.8.8192.168.2.5

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Jun 4, 2023 17:41:29.799606085 CEST192.168.2.58.8.8.80x6fb5Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
                                                  Jun 4, 2023 17:41:49.048280001 CEST192.168.2.58.8.8.80x3885Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
                                                  Jun 4, 2023 17:42:07.508359909 CEST192.168.2.58.8.8.80xe889Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
                                                  Jun 4, 2023 17:42:41.917318106 CEST192.168.2.58.8.8.80xe4a3Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
                                                  Jun 4, 2023 17:43:01.252048016 CEST192.168.2.58.8.8.80x9bdaStandard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
                                                  Jun 4, 2023 17:43:19.947905064 CEST192.168.2.58.8.8.80x4553Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Jun 4, 2023 17:41:29.835984945 CEST8.8.8.8192.168.2.50x6fb5No error (0)ezemnia3.ddns.net102.90.46.28A (IP address)IN (0x0001)false
                                                  Jun 4, 2023 17:41:49.084583044 CEST8.8.8.8192.168.2.50x3885No error (0)ezemnia3.ddns.net102.90.46.28A (IP address)IN (0x0001)false
                                                  Jun 4, 2023 17:42:07.523355007 CEST8.8.8.8192.168.2.50xe889No error (0)ezemnia3.ddns.net102.90.46.28A (IP address)IN (0x0001)false
                                                  Jun 4, 2023 17:42:41.952620983 CEST8.8.8.8192.168.2.50xe4a3No error (0)ezemnia3.ddns.net102.90.46.28A (IP address)IN (0x0001)false
                                                  Jun 4, 2023 17:43:01.280893087 CEST8.8.8.8192.168.2.50x9bdaNo error (0)ezemnia3.ddns.net102.90.46.28A (IP address)IN (0x0001)false
                                                  Jun 4, 2023 17:43:19.974457026 CEST8.8.8.8192.168.2.50x4553No error (0)ezemnia3.ddns.net102.90.46.28A (IP address)IN (0x0001)false

                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:17:41:24
                                                  Start date:04/06/2023
                                                  Path:C:\Users\user\Desktop\NA.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Users\user\Desktop\NA.exe
                                                  Imagebase:0x161787e0000
                                                  File size:775680 bytes
                                                  MD5 hash:6C432A8B26BC0E068F23E88F69C0F565
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.387169472.0000016110009000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.387169472.0000016110167000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  Reputation:low

                                                  General

                                                  Target ID:1
                                                  Start time:17:41:26
                                                  Start date:04/06/2023
                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
                                                  Imagebase:0x7f0000
                                                  File size:107624 bytes
                                                  MD5 hash:F866FC1C2E928779C7119353C3091F0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.656680345.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.650425425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.656751098.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.654572107.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.651668667.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.651668667.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  Reputation:moderate

                                                  General

                                                  Target ID:4
                                                  Start time:17:41:39
                                                  Start date:04/06/2023
                                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                                                  Imagebase:0xc30000
                                                  File size:107624 bytes
                                                  MD5 hash:F866FC1C2E928779C7119353C3091F0C
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:.Net C# or VB.NET
                                                  Antivirus matches:
                                                  • Detection: 0%, ReversingLabs
                                                  Reputation:moderate

                                                  General

                                                  Target ID:5
                                                  Start time:17:41:39
                                                  Start date:04/06/2023
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7fcd70000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Disassembly

                                                  Reset < >

                                                    Executed Functions

                                                    Function 00007FF9A5953D85 Relevance: 2.5, Strings: 2, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.389247591.00007FF9A5950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5950000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff9a5950000_NA.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: )$+
                                                    • API String ID: 0-2508831899
                                                    • Opcode ID: 31b0e7e9a046e0bca78182f41d67b1c7bc73fe82dc20883d18c3a4561659f164
                                                    • Instruction ID: 4f4e9851db568cf47d6ac7939551cbc20c12b90cba7bbf99474f4c71cd21b768
                                                    • Opcode Fuzzy Hash: 31b0e7e9a046e0bca78182f41d67b1c7bc73fe82dc20883d18c3a4561659f164
                                                    • Instruction Fuzzy Hash: AA111FB0E0A61A8EEB60EB14C8447F973F4FB95701F4051F5C14DD6292DB787A988F80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF9A59506A9 Relevance: .1, Instructions: 99COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.389247591.00007FF9A5950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5950000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff9a5950000_NA.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ce044aa2e3f33101cfdad4fff2305a8c2812e9fe2024b6b75b07fd9c5f72b1fb
                                                    • Instruction ID: a0654f8611b108ea9c5df4b2ba90306f6a564f89a9c1d4af39674ef95957e900
                                                    • Opcode Fuzzy Hash: ce044aa2e3f33101cfdad4fff2305a8c2812e9fe2024b6b75b07fd9c5f72b1fb
                                                    • Instruction Fuzzy Hash: EC41A270E19A2D8EDBE4EB6889417A8B7F1FB5A700F5041F9D14DE2282DF7479848F42
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF9A5950555 Relevance: .1, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.389247591.00007FF9A5950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5950000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff9a5950000_NA.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c73a0d7d8fefc3df1ce84f558038b18d7cb5b50659757cf7449f77335fe509bd
                                                    • Instruction ID: ec7019122e4b2a88442fc77a871bf3b8211b16332885dbceeb4603bcbb09c4cb
                                                    • Opcode Fuzzy Hash: c73a0d7d8fefc3df1ce84f558038b18d7cb5b50659757cf7449f77335fe509bd
                                                    • Instruction Fuzzy Hash: 12310AB0E0961D8FDB95EFA8C488BADBBF0FF59301F500529D049E7251DB74A855CB40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF9A59500A2 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.389247591.00007FF9A5950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5950000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff9a5950000_NA.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f057b164ad7a8faafc5a7dac7aed2355235c7414f5163ab6dff93aa3d920e035
                                                    • Instruction ID: 4a0fefeb3e1a91743e89d9276a4aa5d91cff9e21eed7c0fce1ea25eb1bf5148e
                                                    • Opcode Fuzzy Hash: f057b164ad7a8faafc5a7dac7aed2355235c7414f5163ab6dff93aa3d920e035
                                                    • Instruction Fuzzy Hash: 63F06971A18A4D9FDB40EF2884096EE7BE0FF9A315F500176E84DC2150DB74A1A48B82
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF9A595061B Relevance: .0, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.389247591.00007FF9A5950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5950000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff9a5950000_NA.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 13a41594f9f693bd78dc587b7832796bef7cf612a84c3dbcc0c8be2c3b5e9c7e
                                                    • Instruction ID: 4cb68bda0597bcb7790690f798113c9b920d25ed4f70ad1c2efb0d1da9c15e1a
                                                    • Opcode Fuzzy Hash: 13a41594f9f693bd78dc587b7832796bef7cf612a84c3dbcc0c8be2c3b5e9c7e
                                                    • Instruction Fuzzy Hash: AAE04C70D1551D8EDB95DF5884557EDB6F1FF59300F5000A9D44DE2251DF742A95CF00
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00007FF9A5950681 Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.389247591.00007FF9A5950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5950000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff9a5950000_NA.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7aaebc12925e264a6588f8e0058945a3a52f0aa0b56c7ce3f93fd64e654074b2
                                                    • Instruction ID: fba0484da099d766926e389406cd31665201c37d0900b66955d755b43709f9c5
                                                    • Opcode Fuzzy Hash: 7aaebc12925e264a6588f8e0058945a3a52f0aa0b56c7ce3f93fd64e654074b2
                                                    • Instruction Fuzzy Hash: 1DD092B0D0892D8EDB55EF58D8547ECB6F1BF4D300F0002A9D04DE3282CB782990CB00
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 00007FF9A59508F0 Relevance: 1.6, Strings: 1, Instructions: 376COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.389247591.00007FF9A5950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5950000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff9a5950000_NA.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: l2`
                                                    • API String ID: 0-3394242075
                                                    • Opcode ID: 04ae1dc36879e96e4dcb44f0895f9a28a5a473ab504af46d3ce00435c3e50d38
                                                    • Instruction ID: 8fd9e18956ebd01a865adea60e440017405451919eaa3f52b4a100b4ecfbf430
                                                    • Opcode Fuzzy Hash: 04ae1dc36879e96e4dcb44f0895f9a28a5a473ab504af46d3ce00435c3e50d38
                                                    • Instruction Fuzzy Hash: F9D1047190E7898FE782DB7898593E87FE0FF57320F5501EAD049CB193DAA81846C712
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Execution Graph

                                                    Execution Coverage:12.1%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:149
                                                    Total number of Limit Nodes:7
                                                    execution_graph 17855 6242df0 17856 6242df9 17855->17856 17860 6242e68 17856->17860 17865 6242e78 17856->17865 17857 6242e2a 17861 6242e78 17860->17861 17870 6242ea0 17861->17870 17875 6242eb0 17861->17875 17862 6242e94 17862->17857 17866 6242e7d 17865->17866 17868 6242ea0 DnsQuery_A 17866->17868 17869 6242eb0 DnsQuery_A 17866->17869 17867 6242e94 17867->17857 17868->17867 17869->17867 17871 6242ece 17870->17871 17872 6242ef6 17871->17872 17880 6242fb8 17871->17880 17884 6242fa9 17871->17884 17872->17862 17877 6242ece 17875->17877 17876 6242ef6 17876->17862 17877->17876 17878 6242fb8 DnsQuery_A 17877->17878 17879 6242fa9 DnsQuery_A 17877->17879 17878->17877 17879->17877 17881 6242fe1 17880->17881 17888 6241534 17881->17888 17885 6242fb8 17884->17885 17886 6241534 DnsQuery_A 17885->17886 17887 6243022 17886->17887 17887->17871 17889 6243230 DnsQuery_A 17888->17889 17891 624336a 17889->17891 17891->17891 17892 4ff6758 17895 4ff6344 17892->17895 17894 4ff6766 17896 4ff634f 17895->17896 17899 4ff6394 17896->17899 17898 4ff688d 17898->17894 17900 4ff639f 17899->17900 17903 4ff63c4 17900->17903 17902 4ff6962 17902->17898 17904 4ff63cf 17903->17904 17907 4ff63f4 17904->17907 17906 4ff6a62 17906->17902 17908 4ff63ff 17907->17908 17909 4ff71bc 17908->17909 17911 4ffb3f9 17908->17911 17909->17906 17912 4ffb429 17911->17912 17915 4ffb44d 17912->17915 17916 4ffb5aa 17912->17916 17920 4ffb5b8 17912->17920 17915->17909 17917 4ffb5b2 17916->17917 17919 4ffb5ff 17917->17919 17924 4ffa0ec 17917->17924 17919->17915 17921 4ffb5c5 17920->17921 17922 4ffb5ff 17921->17922 17923 4ffa0ec 6 API calls 17921->17923 17922->17915 17923->17922 17925 4ffa0f7 17924->17925 17927 4ffc2f8 17925->17927 17928 4ffb904 17925->17928 17927->17927 17929 4ffb90f 17928->17929 17930 4ff63f4 6 API calls 17929->17930 17931 4ffc367 17930->17931 17938 4ffc3e0 17931->17938 17944 4ffc3d1 17931->17944 17932 4ffc375 17934 4ffe0d8 LoadLibraryExW GetModuleHandleW CreateWindowExW 17932->17934 17935 4ffe0f0 LoadLibraryExW GetModuleHandleW CreateWindowExW 17932->17935 17933 4ffc3a0 17933->17927 17934->17933 17935->17933 17939 4ffc40e 17938->17939 17941 4ffc4df 17939->17941 17942 4ffc437 17939->17942 17950 4ffb9a0 17939->17950 17942->17941 17943 4ffc4da KiUserCallbackDispatcher 17942->17943 17943->17941 17945 4ffc40e 17944->17945 17946 4ffb9a0 GetFocus 17945->17946 17947 4ffc437 17945->17947 17949 4ffc4df 17945->17949 17946->17947 17948 4ffc4da KiUserCallbackDispatcher 17947->17948 17947->17949 17948->17949 17951 4ffb9ab 17950->17951 17952 4ffba14 GetFocus 17951->17952 17953 4ffc9f5 17952->17953 17953->17942 17954 6240b48 17955 6240b58 17954->17955 17957 6240bc5 17955->17957 17958 6241090 17955->17958 17962 62410c0 17958->17962 17968 62410b1 17958->17968 17959 62410ae 17959->17957 17963 62410cd 17962->17963 17964 62410d1 17962->17964 17963->17959 17974 62412be 17964->17974 17979 62412d8 17964->17979 17969 62410d1 17968->17969 17970 62410cd 17968->17970 17972 62412be CreateWindowExW 17969->17972 17973 62412d8 CreateWindowExW 17969->17973 17970->17959 17971 62410f1 17971->17959 17972->17971 17973->17971 17975 62412d8 17974->17975 17984 4ffedef 17975->17984 17988 4ffee00 17975->17988 17980 62412e0 17979->17980 17982 4ffedef CreateWindowExW 17980->17982 17983 4ffee00 CreateWindowExW 17980->17983 17981 62410f1 17981->17959 17982->17981 17983->17981 17985 4ffee2a 17984->17985 17986 4ffeed1 17985->17986 17992 4fffb61 17985->17992 17989 4ffee2a 17988->17989 17990 4ffeed1 17989->17990 17991 4fffb61 CreateWindowExW 17989->17991 17991->17990 17993 4fffb8a 17992->17993 17994 4fffbae 17993->17994 17995 4fffcbb CreateWindowExW 17993->17995 17994->17986 17996 4fffd1c 17995->17996 17996->17996 17823 4ff92f0 17827 4ff93d9 17823->17827 17835 4ff93e8 17823->17835 17824 4ff92ff 17828 4ff93fb 17827->17828 17829 4ff9413 17828->17829 17843 4ff9670 17828->17843 17847 4ff9660 17828->17847 17829->17824 17830 4ff940b 17830->17829 17831 4ff9610 GetModuleHandleW 17830->17831 17832 4ff963d 17831->17832 17832->17824 17836 4ff93fb 17835->17836 17837 4ff9413 17836->17837 17841 4ff9670 LoadLibraryExW 17836->17841 17842 4ff9660 LoadLibraryExW 17836->17842 17837->17824 17838 4ff940b 17838->17837 17839 4ff9610 GetModuleHandleW 17838->17839 17840 4ff963d 17839->17840 17840->17824 17841->17838 17842->17838 17844 4ff9684 17843->17844 17845 4ff96a9 17844->17845 17851 4ff8768 17844->17851 17845->17830 17848 4ff9670 17847->17848 17849 4ff8768 LoadLibraryExW 17848->17849 17850 4ff96a9 17848->17850 17849->17850 17850->17830 17852 4ff9850 LoadLibraryExW 17851->17852 17854 4ff98c9 17852->17854 17854->17845 17997 4ffb6d0 GetCurrentProcess 17998 4ffb74a GetCurrentThread 17997->17998 17999 4ffb743 17997->17999 18000 4ffb787 GetCurrentProcess 17998->18000 18001 4ffb780 17998->18001 17999->17998 18004 4ffb7bd 18000->18004 18001->18000 18002 4ffb7e5 GetCurrentThreadId 18003 4ffb816 18002->18003 18004->18002 18005 4fffe40 SetWindowLongW 18006 4fffeac 18005->18006 18007 4ffbd00 DuplicateHandle 18008 4ffbd96 18007->18008

                                                    Executed Functions

                                                    Function 04FFB6C0 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 04FFB730
                                                    • GetCurrentThread.KERNEL32 ref: 04FFB76D
                                                    • GetCurrentProcess.KERNEL32 ref: 04FFB7AA
                                                    • GetCurrentThreadId.KERNEL32 ref: 04FFB803
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.655714400.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_4ff0000_CasPol.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: a108684a8cf8e46081e6cdcd47c8ff43d35e8834be000ac549b687ce16c47e6d
                                                    • Instruction ID: 43d19b62cf81d0c526fc6d465fcff36bb3a41a4726120d5be8e8305575616793
                                                    • Opcode Fuzzy Hash: a108684a8cf8e46081e6cdcd47c8ff43d35e8834be000ac549b687ce16c47e6d
                                                    • Instruction Fuzzy Hash: 4E5146B1D016458FDB10CFAAD9887DEBFF1AF48314F24845AE019A7360D734A985CF6A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04FFB6D0 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 04FFB730
                                                    • GetCurrentThread.KERNEL32 ref: 04FFB76D
                                                    • GetCurrentProcess.KERNEL32 ref: 04FFB7AA
                                                    • GetCurrentThreadId.KERNEL32 ref: 04FFB803
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.655714400.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_4ff0000_CasPol.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: 1544072c7d069061982882aaba5fe1499498bce0961ea85db751b79fa8c7cc88
                                                    • Instruction ID: a803267472ff062927f253a69620d13b88f6a564bf8c21ac12bb55a75f5fb8bb
                                                    • Opcode Fuzzy Hash: 1544072c7d069061982882aaba5fe1499498bce0961ea85db751b79fa8c7cc88
                                                    • Instruction Fuzzy Hash: 285137B0D016498FDB14CFAAD9887DEBBF1AF48314F248459E419A7360C774A885CF6A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06243178 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 64 6243178-6243194 65 6243196-62431a7 64->65 66 62431aa-624320b 64->66 75 62431e8-6243217 66->75 76 6243219-62432a3 66->76 82 62432a5-62432af 76->82 83 62432dc-624330f 76->83 82->83 84 62432b1-62432b3 82->84 92 6243317-6243368 DnsQuery_A 83->92 85 62432b5-62432bf 84->85 86 62432d6-62432d9 84->86 89 62432c1 85->89 90 62432c3-62432d2 85->90 86->83 89->90 90->90 91 62432d4 90->91 91->86 93 6243371-62433be 92->93 94 624336a-6243370 92->94 99 62433c0-62433c4 93->99 100 62433ce-62433d2 93->100 94->93 99->100 101 62433c6 99->101 102 62433d4-62433d7 100->102 103 62433e1-62433e5 100->103 101->100 102->103 104 62433f6 103->104 105 62433e7-62433f3 103->105 106 62433f7 104->106 105->104 106->106
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.657329000.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_6240000_CasPol.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1e612f017e761fece5d82bf33bc15053705316480c9b8c94fde47faf067a91e2
                                                    • Instruction ID: bd8d9e1c35b147873abd5526c97ae91a6311aa5569644101dd8014053861713d
                                                    • Opcode Fuzzy Hash: 1e612f017e761fece5d82bf33bc15053705316480c9b8c94fde47faf067a91e2
                                                    • Instruction Fuzzy Hash: 79816971D10219CFDB14EFAAC9816DEBBB1FF48310F10852AE815AB240DB74A949CF91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04FF93E8 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 108 4ff93e8-4ff93fd call 4ff8704 111 4ff93ff 108->111 112 4ff9413-4ff9417 108->112 164 4ff9405 call 4ff9670 111->164 165 4ff9405 call 4ff9660 111->165 113 4ff942b-4ff946c 112->113 114 4ff9419-4ff9423 112->114 119 4ff946e-4ff9476 113->119 120 4ff9479-4ff9487 113->120 114->113 115 4ff940b-4ff940d 115->112 116 4ff9548-4ff9608 115->116 157 4ff960a-4ff960d 116->157 158 4ff9610-4ff963b GetModuleHandleW 116->158 119->120 121 4ff94ab-4ff94ad 120->121 122 4ff9489-4ff948e 120->122 126 4ff94b0-4ff94b7 121->126 124 4ff9499 122->124 125 4ff9490-4ff9497 call 4ff8710 122->125 128 4ff949b-4ff94a9 124->128 125->128 129 4ff94b9-4ff94c1 126->129 130 4ff94c4-4ff94cb 126->130 128->126 129->130 133 4ff94cd-4ff94d5 130->133 134 4ff94d8-4ff94e1 call 4ff8720 130->134 133->134 139 4ff94ee-4ff94f3 134->139 140 4ff94e3-4ff94eb 134->140 141 4ff94f5-4ff94fc 139->141 142 4ff9511-4ff9515 139->142 140->139 141->142 143 4ff94fe-4ff950e call 4ff8730 call 4ff8740 141->143 162 4ff9518 call 4ff9968 142->162 163 4ff9518 call 4ff9940 142->163 143->142 146 4ff951b-4ff951e 149 4ff9541-4ff9547 146->149 150 4ff9520-4ff953e 146->150 150->149 157->158 159 4ff963d-4ff9643 158->159 160 4ff9644-4ff9658 158->160 159->160 162->146 163->146 164->115 165->115
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 04FF962E
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.655714400.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_4ff0000_CasPol.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: be416f9b4bfcddf62c6f02de938f533964b54000d95dde82f7853e4c480a9055
                                                    • Instruction ID: 18d1842c9a000320cffd3ffd66dab0588af31587b85ae034726e50e47dd32f14
                                                    • Opcode Fuzzy Hash: be416f9b4bfcddf62c6f02de938f533964b54000d95dde82f7853e4c480a9055
                                                    • Instruction Fuzzy Hash: B97113B0A00B059FDB24DF2AC851B9ABBF1BF88314F10892ED586D7A50D775F8468B91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04FFFB61 Relevance: 1.7, APIs: 1, Instructions: 160COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 166 4fffb61-4fffb88 167 4fffbec-4fffc5e 166->167 168 4fffb8a-4fffbac 166->168 171 4fffc69-4fffc70 167->171 172 4fffc60-4fffc66 167->172 169 4fffbae-4fffbd8 call 4ffda04 168->169 170 4fffbe6-4fffbea 168->170 176 4fffbdd-4fffbde 169->176 170->167 174 4fffc7b-4fffd1a CreateWindowExW 171->174 175 4fffc72-4fffc78 171->175 172->171 178 4fffd1c-4fffd22 174->178 179 4fffd23-4fffd5b 174->179 175->174 178->179 183 4fffd5d-4fffd60 179->183 184 4fffd68 179->184 183->184 185 4fffd69 184->185 185->185
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04FFFD0A
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.655714400.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_4ff0000_CasPol.jbxd
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: 383bad038452cffc9fea65a87bdba80de8192268b7ab0929ac49434ecb5b5ee6
                                                    • Instruction ID: 9c2dd7fa8cf9d876f2a6c904b518318444f961ab61adbcccb51a3ed16f068c1e
                                                    • Opcode Fuzzy Hash: 383bad038452cffc9fea65a87bdba80de8192268b7ab0929ac49434ecb5b5ee6
                                                    • Instruction Fuzzy Hash: 426103B1C04349AFDF02CFA5D984ACEBFB1BF49314F19816AE908AB221D775A945CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06243224 Relevance: 1.6, APIs: 1, Instructions: 141networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 186 6243224-62432a3 188 62432a5-62432af 186->188 189 62432dc-624330f 186->189 188->189 190 62432b1-62432b3 188->190 197 6243317-6243368 DnsQuery_A 189->197 191 62432b5-62432bf 190->191 192 62432d6-62432d9 190->192 194 62432c1 191->194 195 62432c3-62432d2 191->195 192->189 194->195 195->195 196 62432d4 195->196 196->192 198 6243371-62433be 197->198 199 624336a-6243370 197->199 204 62433c0-62433c4 198->204 205 62433ce-62433d2 198->205 199->198 204->205 206 62433c6 204->206 207 62433d4-62433d7 205->207 208 62433e1-62433e5 205->208 206->205 207->208 209 62433f6 208->209 210 62433e7-62433f3 208->210 211 62433f7 209->211 210->209 211->211
                                                    APIs
                                                    • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06243358
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.657329000.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_6240000_CasPol.jbxd
                                                    Similarity
                                                    • API ID: Query_
                                                    • String ID:
                                                    • API String ID: 428220571-0
                                                    • Opcode ID: 9a6b4f9b326546b122f87ee992c36831dd4468273a040923f5f72b524b2392d2
                                                    • Instruction ID: 466eb4ef10d8b72eb102502a0aa7e47317bc5e62f77fe6b5fadb17f3a24d5b8c
                                                    • Opcode Fuzzy Hash: 9a6b4f9b326546b122f87ee992c36831dd4468273a040923f5f72b524b2392d2
                                                    • Instruction Fuzzy Hash: 175125B1D102199FDB54DFAAC9817DEBBB1FF08310F24852AE815AB250DB74A985CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06241534 Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 213 6241534-62432a3 216 62432a5-62432af 213->216 217 62432dc-6243368 DnsQuery_A 213->217 216->217 218 62432b1-62432b3 216->218 226 6243371-62433be 217->226 227 624336a-6243370 217->227 219 62432b5-62432bf 218->219 220 62432d6-62432d9 218->220 222 62432c1 219->222 223 62432c3-62432d2 219->223 220->217 222->223 223->223 224 62432d4 223->224 224->220 232 62433c0-62433c4 226->232 233 62433ce-62433d2 226->233 227->226 232->233 234 62433c6 232->234 235 62433d4-62433d7 233->235 236 62433e1-62433e5 233->236 234->233 235->236 237 62433f6 236->237 238 62433e7-62433f3 236->238 239 62433f7 237->239 238->237 239->239
                                                    APIs
                                                    • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06243358
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.657329000.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_6240000_CasPol.jbxd
                                                    Similarity
                                                    • API ID: Query_
                                                    • String ID:
                                                    • API String ID: 428220571-0
                                                    • Opcode ID: f16c7583d2d81c99a6292387d3baf3b8bbe18e5a3fb152733d1d79fe8cfce0cc
                                                    • Instruction ID: 944daef38f3bf10f0af1e0baa7d7f098b07788f12a0eea93281cb81962813c8c
                                                    • Opcode Fuzzy Hash: f16c7583d2d81c99a6292387d3baf3b8bbe18e5a3fb152733d1d79fe8cfce0cc
                                                    • Instruction Fuzzy Hash: EB512671D1021D9FDB54DFAAC9807DEBBB1FF48310F24842AE815AB250DB74A985CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04FFFBF8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 241 4fffbf8-4fffc5e 242 4fffc69-4fffc70 241->242 243 4fffc60-4fffc66 241->243 244 4fffc7b-4fffcb3 242->244 245 4fffc72-4fffc78 242->245 243->242 246 4fffcbb-4fffd1a CreateWindowExW 244->246 245->244 247 4fffd1c-4fffd22 246->247 248 4fffd23-4fffd5b 246->248 247->248 252 4fffd5d-4fffd60 248->252 253 4fffd68 248->253 252->253 254 4fffd69 253->254 254->254
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04FFFD0A
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.655714400.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_4ff0000_CasPol.jbxd
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: 5b44317b0f2a6395e1b1806c2843536b25c252bcc9eb797bb8e9472ae27e6842
                                                    • Instruction ID: f30eb00cd290c026dc5d6664044f7f6c4ac7650a759d5cf35f2b1eb9231d482b
                                                    • Opcode Fuzzy Hash: 5b44317b0f2a6395e1b1806c2843536b25c252bcc9eb797bb8e9472ae27e6842
                                                    • Instruction Fuzzy Hash: 6541A3B1D10309EFDB14CF9AC984ADEBBB5FF48310F24812AE819AB214D775A945CF94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04FFBCF9 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 255 4ffbcf9 256 4ffbd00-4ffbd94 DuplicateHandle 255->256 257 4ffbd9d-4ffbdba 256->257 258 4ffbd96-4ffbd9c 256->258 258->257
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04FFBD87
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.655714400.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_4ff0000_CasPol.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: d22ed8423b24aed5a076f255483cbfb1c1cd69c646b15e006c25594f5bc6dbe1
                                                    • Instruction ID: b9603b085c9233aa0f40130dd79c157ef2996b75a7dcc1b30f51ecc03cc5b319
                                                    • Opcode Fuzzy Hash: d22ed8423b24aed5a076f255483cbfb1c1cd69c646b15e006c25594f5bc6dbe1
                                                    • Instruction Fuzzy Hash: 4721E4B5D00249AFDB10CFAAD984ADEBFF4EF48320F14841AE954A7310C378A945DFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04FFBD00 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 261 4ffbd00-4ffbd94 DuplicateHandle 262 4ffbd9d-4ffbdba 261->262 263 4ffbd96-4ffbd9c 261->263 263->262
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04FFBD87
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.655714400.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_4ff0000_CasPol.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 0b3de5aa207fc9dccab7cec3d6506b761059851489bf732b70b21ced5bc7e1ff
                                                    • Instruction ID: 915c0e2c3afb5033fbea3c10a388d2031be56613e1071bb584f7c98eb2332f92
                                                    • Opcode Fuzzy Hash: 0b3de5aa207fc9dccab7cec3d6506b761059851489bf732b70b21ced5bc7e1ff
                                                    • Instruction Fuzzy Hash: 5821C4B5D00209AFDB10CF9AD984ADEBFF4EF48320F14841AE954A7310D374A944DFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04FF8768 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 266 4ff8768-4ff9890 268 4ff9898-4ff98c7 LoadLibraryExW 266->268 269 4ff9892-4ff9895 266->269 270 4ff98c9-4ff98cf 268->270 271 4ff98d0-4ff98ed 268->271 269->268 270->271
                                                    APIs
                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04FF96A9,00000800,00000000,00000000), ref: 04FF98BA
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.655714400.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_4ff0000_CasPol.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: 066a734312bac37ca05b7dc8e0ffbe94b760b1784c15e29b8f06bf6ab8eb6306
                                                    • Instruction ID: 08c836d8e0af6d9a199b7936dfa00dcc7d0aec6ffef2482155bddb23192960aa
                                                    • Opcode Fuzzy Hash: 066a734312bac37ca05b7dc8e0ffbe94b760b1784c15e29b8f06bf6ab8eb6306
                                                    • Instruction Fuzzy Hash: F611C2B6D002099FDB10CF9AD844BDEBBF4AF48720F54842AD515A7610C3B5A945CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04FF9849 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 274 4ff9849-4ff9890 275 4ff9898-4ff98c7 LoadLibraryExW 274->275 276 4ff9892-4ff9895 274->276 277 4ff98c9-4ff98cf 275->277 278 4ff98d0-4ff98ed 275->278 276->275 277->278
                                                    APIs
                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04FF96A9,00000800,00000000,00000000), ref: 04FF98BA
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.655714400.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_4ff0000_CasPol.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: 752f33b6142e82da9bd0af42052fcadf1677b4269303d86decb71cacaa2ac9bc
                                                    • Instruction ID: 8ac26adc2d6d560c36502a227ea4f96a9c9f5dabeaaf6f4cfdbb8f99a40f2382
                                                    • Opcode Fuzzy Hash: 752f33b6142e82da9bd0af42052fcadf1677b4269303d86decb71cacaa2ac9bc
                                                    • Instruction Fuzzy Hash: 3811E2B6D002099FDB10CF9AC988BDEBBF4AF88710F54842ED419B7610C374A646CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04FF95C8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 281 4ff95c8-4ff9608 282 4ff960a-4ff960d 281->282 283 4ff9610-4ff963b GetModuleHandleW 281->283 282->283 284 4ff963d-4ff9643 283->284 285 4ff9644-4ff9658 283->285 284->285
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 04FF962E
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.655714400.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_4ff0000_CasPol.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 2cfe6f96ee228d665198591ab385fa92d391bcaefcde2c9643a044ee3b9514e8
                                                    • Instruction ID: 8ec411374b5b767287faf6d80ecad9f0003afcc978cceecc3cc4da93d093485f
                                                    • Opcode Fuzzy Hash: 2cfe6f96ee228d665198591ab385fa92d391bcaefcde2c9643a044ee3b9514e8
                                                    • Instruction Fuzzy Hash: C911E0B6C002498FDB10CF9AC944BDEFBF4AF88724F14842AD429B7610C3B5A546CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04FFFE38 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 287 4fffe38-4fffeaa SetWindowLongW 288 4fffeac-4fffeb2 287->288 289 4fffeb3-4fffec7 287->289 288->289
                                                    APIs
                                                    • SetWindowLongW.USER32(?,?,?), ref: 04FFFE9D
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.655714400.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_4ff0000_CasPol.jbxd
                                                    Similarity
                                                    • API ID: LongWindow
                                                    • String ID:
                                                    • API String ID: 1378638983-0
                                                    • Opcode ID: a734e757b13cd04cd2f1c7d46e9827ce72d1543c06336c82de1304716ce9f100
                                                    • Instruction ID: dae465db185b727e570a85d23d5a8880bf6b0f082720d6aa899477b00a6d41b1
                                                    • Opcode Fuzzy Hash: a734e757b13cd04cd2f1c7d46e9827ce72d1543c06336c82de1304716ce9f100
                                                    • Instruction Fuzzy Hash: 8911F2B5C00209DFDB10CF9AD584BDEBBF4EB48324F24841AD955B7650C374A945CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04FFFE40 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowLongW.USER32(?,?,?), ref: 04FFFE9D
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.655714400.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_4ff0000_CasPol.jbxd
                                                    Similarity
                                                    • API ID: LongWindow
                                                    • String ID:
                                                    • API String ID: 1378638983-0
                                                    • Opcode ID: 14413300864c535306e38f06d717e1d7a900b8ccb02129d12849b28b2d0a24f5
                                                    • Instruction ID: 0b56bfa1e54968e72e8b21685ce8622e680ff8b396b361d43a094aabee204a33
                                                    • Opcode Fuzzy Hash: 14413300864c535306e38f06d717e1d7a900b8ccb02129d12849b28b2d0a24f5
                                                    • Instruction Fuzzy Hash: 381100B58002099FDB10CF9AD984BDFBBF8EB48320F20841AD915A7200C374A944CFB5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FBD3B4 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.651211859.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_fbd000_CasPol.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 31b34a99b67758714361faf71b099ed721aac94a5179ae79b52ddb2421c2a82c
                                                    • Instruction ID: bb5aac75684fae947e1e87a777b75adb7862f7d2052d5c0d011aa31eec73abb3
                                                    • Opcode Fuzzy Hash: 31b34a99b67758714361faf71b099ed721aac94a5179ae79b52ddb2421c2a82c
                                                    • Instruction Fuzzy Hash: DE2125B2904240DFDB05DF14D8C0B96BFA5FB94324F24C569E8050B246D336E856EBA3
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FBD4A0 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.651211859.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_fbd000_CasPol.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2cd29ae4a4cf0a0233e41eeac504f537f80c3f79266b314b29152748706f7b78
                                                    • Instruction ID: e3f53d479c41ccf94eee388cacabf457f622ec503bd0edd11e52bb737bb808cd
                                                    • Opcode Fuzzy Hash: 2cd29ae4a4cf0a0233e41eeac504f537f80c3f79266b314b29152748706f7b78
                                                    • Instruction Fuzzy Hash: ED216A76904244DFDB15DF04D8C0B57BF61FB84328F288569D8060B206D336D846EFA3
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FCD01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.651263824.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_fcd000_CasPol.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7d4941d25a7ccefa42ee00770124fef9f4a72eb5f6a7392aa2d943a36a9201dc
                                                    • Instruction ID: 414df2ad5c268a050018237f4d13c2692a1e4324b9278f72137146376b15bef2
                                                    • Opcode Fuzzy Hash: 7d4941d25a7ccefa42ee00770124fef9f4a72eb5f6a7392aa2d943a36a9201dc
                                                    • Instruction Fuzzy Hash: 4C212571544241DFCB14CF18D6C1F1ABBA1FB84324F20C97DD84A0B24AC336D847EA61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FCD005 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.651263824.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_fcd000_CasPol.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5df2b0b8af26fb7509d35b49c9fa7180fd86f30fd1ba406ca99d35bd5676a993
                                                    • Instruction ID: 3243b9fc2add31a813731c5ca1481b79506f1613733735660acb84c731692f1d
                                                    • Opcode Fuzzy Hash: 5df2b0b8af26fb7509d35b49c9fa7180fd86f30fd1ba406ca99d35bd5676a993
                                                    • Instruction Fuzzy Hash: D92171755493808FD702CF24D590B15BF71EB46324F28C5EED8458B657C33A980ACB62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FBD3AF Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.651211859.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_fbd000_CasPol.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                    • Instruction ID: 58735744977910489736010a2e032f556cc7089b553757434799d34f41ce6eff
                                                    • Opcode Fuzzy Hash: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                    • Instruction Fuzzy Hash: 1411E676904280CFCB16CF10D9C4B56BF71FB94324F24C6A9D8450B616C33AE85ADFA2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FBD49B Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.651211859.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_fbd000_CasPol.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                    • Instruction ID: 97e88d3911427dc907c04213a5c91a36115775bce50765bff7f28eedf293bb3c
                                                    • Opcode Fuzzy Hash: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                    • Instruction Fuzzy Hash: 9711D376904284CFDB16CF14D5C4B56BF71FB84328F28C6A9D8050B616C336D856DFA2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Executed Functions

                                                    Function 013E0958 Relevance: 2.9, Strings: 1, Instructions: 1633COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.417316530.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_13e0000_dhcpmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: P
                                                    • API String ID: 0-3110715001
                                                    • Opcode ID: 919ce6ae016018b58648a3f7c88af2b83ada46f20624ba9be68be52af6baf533
                                                    • Instruction ID: f732e9b12d3b33428804255b6e30ecf89651869ad617ac97716aaab75fc3b938
                                                    • Opcode Fuzzy Hash: 919ce6ae016018b58648a3f7c88af2b83ada46f20624ba9be68be52af6baf533
                                                    • Instruction Fuzzy Hash: 7E32C4317002549FDB19EF78D458A6D7BF2FF84314F1685A9E5059B2A2CB78EC42CB81
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 013E094C Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.417316530.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_13e0000_dhcpmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: P
                                                    • API String ID: 0-3110715001
                                                    • Opcode ID: c09129848317e8cead4802485722b472787867a7c5c7903d7cd41e38b94243af
                                                    • Instruction ID: 53534c2f7fce6dca330e041eb9bacbc4167c481e7b87f72d7e625d8bcc03aad5
                                                    • Opcode Fuzzy Hash: c09129848317e8cead4802485722b472787867a7c5c7903d7cd41e38b94243af
                                                    • Instruction Fuzzy Hash: 0B416F31B10219DFDB14CF68C454AAEB7F2FF88704F64866DE415AB394DB75AC428B80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 013E05F0 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.417316530.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_13e0000_dhcpmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: oy
                                                    • API String ID: 0-3857508015
                                                    • Opcode ID: ac5e7ee53f75660737d176db6ba397a310ef438cc18601589d2278f5e0caf313
                                                    • Instruction ID: 51846d34f880510e413d5ed515393a3822b940641c0b24d75f7e2c1aca039e8f
                                                    • Opcode Fuzzy Hash: ac5e7ee53f75660737d176db6ba397a310ef438cc18601589d2278f5e0caf313
                                                    • Instruction Fuzzy Hash: DA217A757002108FCB59EB38D464A2D37E2AFC972432505ADF006CB3B2CA35EC42CB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 013E02DC Relevance: .2, Instructions: 249COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.417316530.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_13e0000_dhcpmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 264bab200dc9141b84d974036edd54311879a6bdee70cbb703703fbeb40dfa9c
                                                    • Instruction ID: baf12fbc05a98fb181028dd70d0b63b2fbbe4dc5ade46d7f2ebb1f7df121b5b8
                                                    • Opcode Fuzzy Hash: 264bab200dc9141b84d974036edd54311879a6bdee70cbb703703fbeb40dfa9c
                                                    • Instruction Fuzzy Hash: 6A316DB4B04388AFD715EFA9E954659BFF2EBD8300F1080B9C845A7269EB3C1D41DB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 013E0708 Relevance: .1, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.417316530.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_13e0000_dhcpmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ba4ad32e4205e53297a8af16bba30fd15b99080ec63e78aa8025d1782b1a223f
                                                    • Instruction ID: 44d4a4bd6d1f35d80a91a8c8bdb65027e211c6ac168edb4574d976db177bb336
                                                    • Opcode Fuzzy Hash: ba4ad32e4205e53297a8af16bba30fd15b99080ec63e78aa8025d1782b1a223f
                                                    • Instruction Fuzzy Hash: 18415C78B10215DFDB18DF74D458A6D7BB6EF88700F108568F506A73A0DF78A841CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 013E0C40 Relevance: .1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.417316530.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_13e0000_dhcpmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 72e14c23b9819bbb04b046e25563a0f07e92e6c15bb98050b723ad1c925b6675
                                                    • Instruction ID: 446790e0adc9d02f80ed350f2a3f23b820eb7cd780d16790eb5a065c205cf74b
                                                    • Opcode Fuzzy Hash: 72e14c23b9819bbb04b046e25563a0f07e92e6c15bb98050b723ad1c925b6675
                                                    • Instruction Fuzzy Hash: 9F31C374B043489FCB19EFB8D8509AE7FB1EF89210B1040A9E805DB351DA389D05CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 013E0AF0 Relevance: .1, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.417316530.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_13e0000_dhcpmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ab307ce8cc5de0ede0cb8c619830c3560eb948fedf6d4a048890660d00956695
                                                    • Instruction ID: 62963336f62a28c7c7033f7fd1a9b3f54529c32b515eb9e50817f123c0f99fc7
                                                    • Opcode Fuzzy Hash: ab307ce8cc5de0ede0cb8c619830c3560eb948fedf6d4a048890660d00956695
                                                    • Instruction Fuzzy Hash: B721F6313043529FDB299F79981861E7FF4EFC6218B1485AAE454CB296DA78DC42C750
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 013E0448 Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.417316530.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_13e0000_dhcpmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 15272cf1df9f521b574c98558a46d6d94fe9dc4514816bc753eb8f938b027f3b
                                                    • Instruction ID: 00c78e374a00bf10fc932226cf0eb6e425fd119383785325fab66fa2ae03da35
                                                    • Opcode Fuzzy Hash: 15272cf1df9f521b574c98558a46d6d94fe9dc4514816bc753eb8f938b027f3b
                                                    • Instruction Fuzzy Hash: 63212EB4B00688ABD718EFAAE95465DBBF3EBD8700F20C079D84563358DB382941DB61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 013E086F Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.417316530.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_13e0000_dhcpmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f05906bf1053faefe67657f543431a02ecab1b38e762928d60f725ab1d19cfb5
                                                    • Instruction ID: b435f6361e5728f6d5e728e35b5bef52c70284e1cf1f72d046ef3fb3d7962a5c
                                                    • Opcode Fuzzy Hash: f05906bf1053faefe67657f543431a02ecab1b38e762928d60f725ab1d19cfb5
                                                    • Instruction Fuzzy Hash: D1118074F01209DFDB18DFA4E559A6D7BB2AF88305F208468F512E72A4DE78A845CB40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 013E0569 Relevance: .0, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.417316530.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_13e0000_dhcpmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 13445026d9490e1a437c7c913470cd64d07e849c2625f5fde923bd7fb3ea5f94
                                                    • Instruction ID: 368d8f51df65d12020057fffabf995e0875b4cc38c76639d44ec62d0e9975b1b
                                                    • Opcode Fuzzy Hash: 13445026d9490e1a437c7c913470cd64d07e849c2625f5fde923bd7fb3ea5f94
                                                    • Instruction Fuzzy Hash: 6E01A271A04214EFC768EFB4E80D56E7BB5FF09210B1085AAE466D7291CB78D900CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 013E0578 Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.417316530.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_13e0000_dhcpmon.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 562890cf61b1e87d0d82326cbcd84ae6005266c92c73d1610e8f42ff4786a0db
                                                    • Instruction ID: 4be2e7ca998a874153327bf5363693e41095b98191846878b9ce8b6d20f0456f
                                                    • Opcode Fuzzy Hash: 562890cf61b1e87d0d82326cbcd84ae6005266c92c73d1610e8f42ff4786a0db
                                                    • Instruction Fuzzy Hash: 0B013175A04214EFCB68EF78E80C56E7BB5FF48311B10956AE426D3294DB78D901CF91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%