Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:882701
MD5:462948d717e44bda852450260ec44d37
SHA1:dc2aab0e06f483ee853ebec53cdb126131c0c8d7
SHA256:1d28cee9d618d8f15b3875ea1ac44a8bf4d9c59171da3227ba3b973e0c9fdb1a
Tags:NETexeMSILNanoCorex64
Infos:

Detection

Nanocore, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected zgRAT
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected Nanocore RAT
Writes to foreign memory regions
.NET source code references suspicious native API functions
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5556 cmdline: C:\Users\user\Desktop\file.exe MD5: 462948D717E44BDA852450260EC44D37)
    • aspnet_compiler.exe (PID: 6456 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
  • dhcpmon.exe (PID: 6756 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 17CC69238395DF61AAF483BCEF02E7C9)
    • conhost.exe (PID: 6752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Nanocore RAT, NanoCoreNanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.
  • APT33
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore
NameDescriptionAttributionBlogpost URLsLink
zgRATNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "954449b5-566c-46fe-92f0-8eb82a7f", "Group": "Cashout", "Domain1": "ezemnia3.ddns.net", "Domain2": "91.193.75.178", "Port": 62335, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    file.exeMALWARE_Win_zgRATDetects zgRATditekSHen
    • 0x40a73:$s1: file:///
    • 0x40981:$s2: {11111-22222-10009-11112}
    • 0x40a03:$s3: {11111-22222-50001-00000}
    • 0x3b9cf:$s4: get_Module
    • 0x380fb:$s5: Reverse
    • 0x37c27:$s6: BlockCopy
    • 0x38391:$s7: ReadByte
    • 0x40a85:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
    • 0xe38:$x2: NanoCore.ClientPlugin
    • 0xe75:$x3: NanoCore.ClientPluginHost
    • 0xe5a:$i1: IClientApp
    • 0xe4e:$i2: IClientData
    • 0xe29:$i3: IClientNetwork
    • 0xec3:$i4: IClientAppHost
    • 0xe65:$i5: IClientDataHost
    • 0xeb0:$i6: IClientLoggingHost
    • 0xe8f:$i7: IClientNetworkHost
    • 0xea2:$i8: IClientUIHost
    • 0xed2:$i9: IClientNameObjectCollection
    • 0xef7:$i10: IClientReadOnlyNameObjectCollection
    • 0xe41:$s1: ClientPlugin
    • 0x177c:$s1: ClientPlugin
    • 0x1789:$s1: ClientPlugin
    • 0x11f9:$s6: get_ClientSettings
    • 0x1249:$s7: get_Connected
    00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
    • 0xe75:$a1: NanoCore.ClientPluginHost
    • 0xe38:$a2: NanoCore.ClientPlugin
    • 0x120c:$b1: get_BuilderSettings
    • 0xec3:$b4: IClientAppHost
    • 0x127d:$b6: AddHostEntry
    • 0x12ec:$b7: LogClientException
    • 0x1261:$b8: PipeExists
    • 0xeb0:$b9: IClientLoggingHost
    00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 25 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    1.2.aspnet_compiler.exe.50b0000.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    1.2.aspnet_compiler.exe.50b0000.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    1.2.aspnet_compiler.exe.50b0000.5.raw.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
    • 0xe38:$x2: NanoCore.ClientPlugin
    • 0xe75:$x3: NanoCore.ClientPluginHost
    • 0xe5a:$i1: IClientApp
    • 0xe4e:$i2: IClientData
    • 0xe29:$i3: IClientNetwork
    • 0xec3:$i4: IClientAppHost
    • 0xe65:$i5: IClientDataHost
    • 0xeb0:$i6: IClientLoggingHost
    • 0xe8f:$i7: IClientNetworkHost
    • 0xea2:$i8: IClientUIHost
    • 0xed2:$i9: IClientNameObjectCollection
    • 0xef7:$i10: IClientReadOnlyNameObjectCollection
    • 0xe41:$s1: ClientPlugin
    • 0x177c:$s1: ClientPlugin
    • 0x1789:$s1: ClientPlugin
    • 0x11f9:$s6: get_ClientSettings
    • 0x1249:$s7: get_Connected
    1.2.aspnet_compiler.exe.50b0000.5.raw.unpackWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
    • 0xe75:$a1: NanoCore.ClientPluginHost
    • 0xe38:$a2: NanoCore.ClientPlugin
    • 0x120c:$b1: get_BuilderSettings
    • 0xec3:$b4: IClientAppHost
    • 0x127d:$b6: AddHostEntry
    • 0x12ec:$b7: LogClientException
    • 0x1261:$b8: PipeExists
    • 0xeb0:$b9: IClientLoggingHost
    1.2.aspnet_compiler.exe.384ff64.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0xd9ad:$x1: NanoCore.ClientPluginHost
    • 0xd9da:$x2: IClientNetworkHost
    Click to see the 61 entries

    Sigma Signatures

    AV Detection

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ProcessId: 6456, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    E-Banking Fraud

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ProcessId: 6456, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Stealing of Sensitive Information

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ProcessId: 6456, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Remote Access Functionality

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ProcessId: 6456, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Found malware configuration
    Source: 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "954449b5-566c-46fe-92f0-8eb82a7f", "Group": "Cashout", "Domain1": "ezemnia3.ddns.net", "Domain2": "91.193.75.178", "Port": 62335, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
    Multi AV Scanner detection for submitted file
    Source: file.exeReversingLabs: Detection: 54%
    Source: file.exeVirustotal: Detection: 60%Perma Link
    Antivirus detection for URL or domain
    Source: 91.193.75.178Avira URL Cloud: Label: malware
    Source: ezemnia3.ddns.netAvira URL Cloud: Label: malware
    Multi AV Scanner detection for domain / URL
    Source: ezemnia3.ddns.netVirustotal: Detection: 6%Perma Link
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.384ff64.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.384b12e.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.385458d.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.384ff64.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.5170000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.file.exe.21aa4b9f868.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.file.exe.21aa4b9f868.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.5170000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.5174629.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.606910359.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: file.exe PID: 5556, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6456, type: MEMORYSTR
    Machine Learning detection for sample
    Source: file.exeJoe Sandbox ML: detected
    Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: CEMENT.pdb source: file.exe, 00000000.00000002.354909310.0000021A9177F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.354771206.0000021A8FC10000.00000004.08000000.00040000.00000000.sdmp
    Source: Binary string: NBNNhH873.pdb source: file.exe
    Source: Binary string: aspnet_compiler.pdb source: dhcpmon.exe, 00000002.00000000.379027026.0000000000B82000.00000002.00000001.01000000.00000006.sdmp, dhcpmon.exe.1.dr

    Networking

    barindex
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: ezemnia3.ddns.net
    Source: Malware configuration extractorURLs: 91.193.75.178
    Uses dynamic DNS services
    Source: unknownDNS query: name: ezemnia3.ddns.net
    Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
    Source: Joe Sandbox ViewIP Address: 79.134.225.109 79.134.225.109
    Source: global trafficTCP traffic: 192.168.2.7:49701 -> 79.134.225.109:62335
    Source: global trafficTCP traffic: 192.168.2.7:49704 -> 91.193.75.178:62335
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.178
    Source: dhcpmon.exe, 00000002.00000002.380713121.00000000010E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c
    Source: dhcpmon.exe, 00000002.00000002.380713121.00000000010E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.ce
    Source: aspnet_compiler.exe, 00000001.00000002.606910359.0000000002801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: unknownDNS traffic detected: queries for: ezemnia3.ddns.net
    Source: aspnet_compiler.exe, 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud

    barindex
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.384ff64.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.384b12e.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.385458d.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.384ff64.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.5170000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.file.exe.21aa4b9f868.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.file.exe.21aa4b9f868.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.5170000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.5174629.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.606910359.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: file.exe PID: 5556, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6456, type: MEMORYSTR

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: file.exe, type: SAMPLEMatched rule: Detects zgRAT Author: ditekSHen
    Source: 1.2.aspnet_compiler.exe.50b0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 1.2.aspnet_compiler.exe.50b0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 1.2.aspnet_compiler.exe.50b0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 1.2.aspnet_compiler.exe.384ff64.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 1.2.aspnet_compiler.exe.384ff64.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 1.2.aspnet_compiler.exe.384ff64.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 1.2.aspnet_compiler.exe.384b12e.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 1.2.aspnet_compiler.exe.384b12e.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 1.2.aspnet_compiler.exe.384b12e.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.aspnet_compiler.exe.384b12e.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 1.2.aspnet_compiler.exe.385458d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 1.2.aspnet_compiler.exe.385458d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 1.2.aspnet_compiler.exe.385458d.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 1.2.aspnet_compiler.exe.384ff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 1.2.aspnet_compiler.exe.384ff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 1.2.aspnet_compiler.exe.384ff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 1.2.aspnet_compiler.exe.5170000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 1.2.aspnet_compiler.exe.5170000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 1.2.aspnet_compiler.exe.5170000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0.2.file.exe.21aa4b9f868.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 0.2.file.exe.21aa4b9f868.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.file.exe.21aa4b9f868.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.file.exe.21aa4b9f868.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0.2.file.exe.21aa4b9f868.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 0.2.file.exe.21aa4b9f868.5.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.file.exe.21aa4b9f868.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.file.exe.21aa4b9f868.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 1.2.aspnet_compiler.exe.5170000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 1.2.aspnet_compiler.exe.5170000.6.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 1.2.aspnet_compiler.exe.5170000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 1.2.aspnet_compiler.exe.5174629.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 1.2.aspnet_compiler.exe.5174629.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 1.2.aspnet_compiler.exe.5174629.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 1.2.aspnet_compiler.exe.2833ff4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 1.2.aspnet_compiler.exe.2833ff4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 1.2.aspnet_compiler.exe.2833ff4.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0.0.file.exe.21a8f880000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
    Source: 0.2.file.exe.21a8f880000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
    Source: 00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000001.00000002.606910359.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: Process Memory Space: file.exe PID: 5556, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: Process Memory Space: file.exe PID: 5556, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: file.exe PID: 5556, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: Process Memory Space: aspnet_compiler.exe PID: 6456, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: Process Memory Space: aspnet_compiler.exe PID: 6456, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: aspnet_compiler.exe PID: 6456, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: file.exe, type: SAMPLEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
    Source: 1.2.aspnet_compiler.exe.50b0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.50b0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.50b0000.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 1.2.aspnet_compiler.exe.50b0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 1.2.aspnet_compiler.exe.384ff64.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.384ff64.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.384ff64.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 1.2.aspnet_compiler.exe.384ff64.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 1.2.aspnet_compiler.exe.384b12e.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.384b12e.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.384b12e.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 1.2.aspnet_compiler.exe.384b12e.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.aspnet_compiler.exe.384b12e.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 1.2.aspnet_compiler.exe.385458d.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.385458d.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.385458d.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 1.2.aspnet_compiler.exe.385458d.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 1.2.aspnet_compiler.exe.384ff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.384ff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.384ff64.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 1.2.aspnet_compiler.exe.384ff64.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 1.2.aspnet_compiler.exe.5170000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.5170000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.5170000.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 1.2.aspnet_compiler.exe.5170000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0.2.file.exe.21aa4b9f868.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.file.exe.21aa4b9f868.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.file.exe.21aa4b9f868.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.file.exe.21aa4b9f868.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.file.exe.21aa4b9f868.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0.2.file.exe.21aa4b9f868.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.file.exe.21aa4b9f868.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.file.exe.21aa4b9f868.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.file.exe.21aa4b9f868.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.file.exe.21aa4b9f868.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 1.2.aspnet_compiler.exe.5170000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.5170000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.5170000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 1.2.aspnet_compiler.exe.5170000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 1.2.aspnet_compiler.exe.5174629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.5174629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.5174629.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 1.2.aspnet_compiler.exe.5174629.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 1.2.aspnet_compiler.exe.2833ff4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.2833ff4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.aspnet_compiler.exe.2833ff4.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 1.2.aspnet_compiler.exe.2833ff4.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0.0.file.exe.21a8f880000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
    Source: 0.2.file.exe.21a8f880000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
    Source: 00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000001.00000002.606910359.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: Process Memory Space: file.exe PID: 5556, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: Process Memory Space: file.exe PID: 5556, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: file.exe PID: 5556, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: Process Memory Space: aspnet_compiler.exe PID: 6456, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: Process Memory Space: aspnet_compiler.exe PID: 6456, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: aspnet_compiler.exe PID: 6456, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C5E4801_2_04C5E480
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C5E47B1_2_04C5E47B
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C5BBD41_2_04C5BBD4
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_05DE00401_2_05DE0040
    Source: file.exeStatic PE information: No import functions for PE file found
    Source: file.exeBinary or memory string: OriginalFilename vs file.exe
    Source: file.exe, 00000000.00000002.354909310.0000021A9177F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCEMENT.dll. vs file.exe
    Source: file.exe, 00000000.00000002.354771206.0000021A8FC10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCEMENT.dll. vs file.exe
    Source: file.exe, 00000000.00000002.354396278.0000021A8FA8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
    Source: file.exe, 00000000.00000002.354205581.0000021A8F882000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNBNNhH873.exe4 vs file.exe
    Source: file.exeBinary or memory string: OriginalFilenameNBNNhH873.exe4 vs file.exe
    Source: file.exeReversingLabs: Detection: 54%
    Source: file.exeVirustotal: Detection: 60%
    Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.logJump to behavior
    Source: classification engineClassification label: mal100.troj.evad.winEXE@5/5@14/2
    Source: file.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
    Source: C:\Users\user\Desktop\file.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6752:120:WilError_01
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{954449b5-566c-46fe-92f0-8eb82a7f77b0}
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
    Source: file.exe, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
    Source: file.exe, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: CEMENT.pdb source: file.exe, 00000000.00000002.354909310.0000021A9177F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.354771206.0000021A8FC10000.00000004.08000000.00040000.00000000.sdmp
    Source: Binary string: NBNNhH873.pdb source: file.exe
    Source: Binary string: aspnet_compiler.pdb source: dhcpmon.exe, 00000002.00000000.379027026.0000000000B82000.00000002.00000001.01000000.00000006.sdmp, dhcpmon.exe.1.dr

    Data Obfuscation

    barindex
    .NET source code contains method to dynamically call methods (often used by packers)
    Source: file.exe, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFDC2A960C4 push ecx; ret 0_2_00007FFDC2A961DC
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFDC2A96177 push ecx; ret 0_2_00007FFDC2A961DC
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C5E0F0 push edx; retf 0004h1_2_04C5E312
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C5E471 push ebx; retf 0004h1_2_04C5E472
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C5C078 push ds; iretd 1_2_04C5C0AE
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C5E349 push edx; retf 0004h1_2_04C5E34A
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C5E36F push edx; retf 0004h1_2_04C5E372
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C5ED89 push esi; retf 0004h1_2_04C5ED8A
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C5EDB9 push esi; retf 0004h1_2_04C5EDBA
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C58A61 push ss; retf 0004h1_2_04C58A62
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C58A70 push ss; retf B404h1_2_04C58B82
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C59660 push ds; retf 0004h1_2_04C59662
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C593D9 push ds; retf 0004h1_2_04C593DA
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C5984B push cs; iretd 1_2_04C5984E
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C57A80 push cs; retf 0004h1_2_04C57C62
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_04C57A71 push cs; retf 0004h1_2_04C57A72
    Source: file.exeStatic PE information: 0xB76DF3A6 [Sat Jul 9 11:25:26 2067 UTC]
    Source: initial sampleStatic PE information: section name: .text entropy: 7.054014763171646
    Source: file.exe, le10DKSxYqZoK4yLJr/AyTSqq9UUgjbEdt6XX.csHigh entropy of concatenated method names: 'Rd6IgZm9bs', 'a51IYwS7qB', 'fBeI84REpS', 'FafICsSQv7', 'SZ6IjsSWEh', 'iNrIatbhGO', 'FUPIwquKEn', '.ctor', '.cctor', 'Hx4vQNcd31n6GJ95Wad'
    Source: file.exe, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: '.cctor', 'krBFRwabjV', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
    Source: file.exe, rTtVXgHRgBSsFavshV/fousyr1O5TImehMQsy.csHigh entropy of concatenated method names: 'BjCF97Wa5c', '.ctor', '.cctor', 'Ysni9rctKFx8qVItZhM', 'YgI30QcxVFhgKAD96hv', 'nHZlwWcckR7hjbYV03e', 'WBug2BxqYpRTp9wQd6u', 'bufahpxz5fikLNVk8HV', 'FLONpHcK02MrZ9D5BLA', 'SeG0nPc92dFm6Ah5LaP'
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

    Hooking and other Techniques for Hiding and Protection

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe:Zone.Identifier read attributes | deleteJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exe TID: 6464Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 5700Thread sleep time: -12912720851596678s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6844Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow / User API: threadDelayed 9731Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow / User API: foregroundWindowGot 1082Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: aspnet_compiler.exe, 00000001.00000002.606057054.0000000000A78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Writes to foreign memory regions
    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000Jump to behavior
    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000Jump to behavior
    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 420000Jump to behavior
    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 422000Jump to behavior
    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 790008Jump to behavior
    .NET source code references suspicious native API functions
    Source: file.exe, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.csReference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.csReference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
    Allocates memory in foreign processes
    Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and writeJump to behavior
    Injects a PE file into a foreign processes
    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeJump to behavior
    Source: aspnet_compiler.exe, 00000001.00000002.606910359.0000000002DAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager0U
    Source: aspnet_compiler.exe, 00000001.00000002.606910359.00000000028CD000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.606910359.0000000002874000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.606910359.0000000002B43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
    Source: aspnet_compiler.exe, 00000001.00000002.606910359.00000000028CD000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.606910359.0000000002B43000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.606910359.0000000002B70000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager`i
    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Yara detected zgRAT
    Source: Yara matchFile source: file.exe, type: SAMPLE
    Source: Yara matchFile source: 0.0.file.exe.21a8f880000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.file.exe.21a8f880000.0.unpack, type: UNPACKEDPE
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.384ff64.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.384b12e.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.385458d.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.384ff64.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.5170000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.file.exe.21aa4b9f868.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.file.exe.21aa4b9f868.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.5170000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.5174629.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.606910359.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: file.exe PID: 5556, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6456, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected zgRAT
    Source: Yara matchFile source: file.exe, type: SAMPLE
    Source: Yara matchFile source: 0.0.file.exe.21a8f880000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.file.exe.21a8f880000.0.unpack, type: UNPACKEDPE
    Detected Nanocore Rat
    Source: file.exe, 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: aspnet_compiler.exe, 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: aspnet_compiler.exe, 00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: aspnet_compiler.exe, 00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: aspnet_compiler.exe, 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: aspnet_compiler.exe, 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: aspnet_compiler.exe, 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: aspnet_compiler.exe, 00000001.00000002.606910359.0000000002801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: aspnet_compiler.exe, 00000001.00000002.606910359.0000000002801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.384ff64.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.384b12e.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.385458d.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.384ff64.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.5170000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.file.exe.21aa4b9f868.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.file.exe.21aa4b9f868.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.5170000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.aspnet_compiler.exe.5174629.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.606910359.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: file.exe PID: 5556, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6456, type: MEMORYSTR

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1
    Native API    		Path Interception312
    Process Injection    		2
    Masquerading    		11
    Input Capture    		1
    Security Software Discovery    		Remote Services11
    Input Capture    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Disable or Modify Tools    		LSASS Memory2
    Process Discovery    		Remote Desktop Protocol11
    Archive Collected Data    		Exfiltration Over Bluetooth1
    Non-Standard Port    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
    Virtualization/Sandbox Evasion    		Security Account Manager21
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
    Remote Access Software    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)312
    Process Injection    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput CaptureScheduled Transfer1
    Non-Application Layer Protocol    		SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
    Deobfuscate/Decode Files or Information    		LSA Secrets12
    System Information Discovery    		SSHKeyloggingData Transfer Size Limits21
    Application Layer Protocol    		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common1
    Hidden Files and Directories    		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup Items2
    Obfuscated Files or Information    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job11
    Software Packing    		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
    Timestomp    		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    file.exe54%ReversingLabsWin64.Trojan.Cerbu
    file.exe61%VirustotalBrowse
    file.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    ezemnia3.ddns.net7%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    http://go.microsoft.c0%URL Reputationsafe
    91.193.75.178100%Avira URL Cloudmalware
    ezemnia3.ddns.net100%Avira URL Cloudmalware
    http://go.microsoft.ce0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    ezemnia3.ddns.net
    		79.134.225.109
    		truetrueunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    ezemnia3.ddns.nettrue
    • Avira URL Cloud: malware
    		unknown
    91.193.75.178true
    • Avira URL Cloud: malware
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://go.microsoft.cdhcpmon.exe, 00000002.00000002.380713121.00000000010E3000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://go.microsoft.cedhcpmon.exe, 00000002.00000002.380713121.00000000010E3000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameaspnet_compiler.exe, 00000001.00000002.606910359.0000000002801000.00000004.00000800.00020000.00000000.sdmpfalse
      		high

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      79.134.225.109
      		ezemnia3.ddns.netSwitzerland
      		6775FINK-TELECOM-SERVICESCHtrue
      91.193.75.178
      		unknownSerbia
      		209623DAVID_CRAIGGGtrue

      General Information

      Joe Sandbox Version:37.1.0 Beryl
      Analysis ID:882701
      Start date and time:2023-06-06 17:14:01 +02:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 10m 22s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:7
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample file name:file.exe
      Detection:MAL
      Classification:mal100.troj.evad.winEXE@5/5@14/2
      EGA Information:
      • Successful, ratio: 33.3%
      HDC Information:
      • Successful, ratio: 21.8% (good quality ratio 17.8%)
      • Quality average: 67%
      • Quality standard deviation: 39.3%
      HCA Information:
      • Successful, ratio: 71%
      • Number of executed functions: 49
      • Number of non-executed functions: 3
      Cookbook Comments:
      • Found application associated with file extension: .exe

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
      • Execution Graph export aborted for target dhcpmon.exe, PID 6756 because it is empty
      • Execution Graph export aborted for target file.exe, PID 5556 because it is empty
      • Not all processes where analyzed, report is missing behavior information

      Simulations

      Behavior and APIs

      TimeTypeDescription
      17:15:07API Interceptor967x Sleep call for process: aspnet_compiler.exe modified
      17:15:09AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      79.134.225.109Swift Copy.exeGet hashmaliciousDBatLoader, RemcosBrowse
        cp.msi.exeGet hashmaliciousUnknownBrowse
          ot.msiGet hashmaliciousAgentTesla GuLoaderBrowse
            dd.exeGet hashmaliciousAgentTesla GuLoaderBrowse
              cW49B9lA9c4reHCwa7Be.exeGet hashmaliciousBitRAT XmrigBrowse
                PFA-ZeroLag.sfx.exeGet hashmaliciousAveMariaBrowse
                  igfx.sfx.exeGet hashmaliciousQuasarBrowse
                    P.O List.exeGet hashmaliciousNanocoreBrowse
                      P.O List.exeGet hashmaliciousNanoCoreBrowse
                        22Quotation Ref detail 00821928299.exeGet hashmaliciousRemcosBrowse
                          91.193.75.178NA.exeGet hashmaliciousNanocoreBrowse
                            file.exeGet hashmaliciousNanocore, zgRATBrowse
                              mona.lerioprovantageOrder25-10-2022.scr.exeGet hashmaliciousAveMaria, UACMeBrowse

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                ezemnia3.ddns.netNA.exeGet hashmaliciousNanocoreBrowse
                                • 102.90.46.28
                                file.exeGet hashmaliciousNanocore, zgRATBrowse
                                • 197.210.227.232

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                FINK-TELECOM-SERVICESCHPaymentSlip.jarGet hashmaliciousSTRRATBrowse
                                • 79.134.225.22
                                Pos.jarGet hashmaliciousSTRRATBrowse
                                • 79.134.225.22
                                IntelCpHeciSvc.exeGet hashmaliciousNanocore, NeshtaBrowse
                                • 79.134.225.25
                                4mURngnyJN.exeGet hashmaliciousAveMaria, UACMeBrowse
                                • 79.134.225.96
                                bOoc2lPsx3.exeGet hashmaliciousAveMaria, UACMeBrowse
                                • 79.134.225.69
                                Westernunionslippdf.jsGet hashmaliciousUnknownBrowse
                                • 79.134.225.40
                                western_union_receipt-6c1136ae379eefabd1125356a838f43c150504aa.jsGet hashmaliciousUnknownBrowse
                                • 79.134.225.40
                                Ofac_compliance_pdf.jsGet hashmaliciousUnknownBrowse
                                • 79.134.225.40
                                PO00SMK21PDF-Files.COM.exeGet hashmaliciousAveMaria, UACMeBrowse
                                • 79.134.225.82
                                430320.imgGet hashmaliciousUnknownBrowse
                                • 79.134.225.84
                                430320.imgGet hashmaliciousUnknownBrowse
                                • 79.134.225.84
                                New Order Inquiry.exeGet hashmaliciousRemcosBrowse
                                • 79.134.225.23
                                DHL04AWB01173903102023PDF.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                • 79.134.225.111
                                b7s6hs05Oq.exeGet hashmaliciousRemcosBrowse
                                • 79.134.225.119
                                yYzwH6q2cM.exeGet hashmaliciousNanocoreBrowse
                                • 79.134.225.73
                                w2tqpR5e2N.exeGet hashmaliciousRemcosBrowse
                                • 79.134.225.119
                                12NI4sOEd1.exeGet hashmaliciousRemcosBrowse
                                • 79.134.225.119
                                file.exeGet hashmaliciousUnknownBrowse
                                • 79.134.225.99
                                7hnidyiHcUQiC60.exeGet hashmaliciousAveMaria, UACMeBrowse
                                • 79.134.225.73
                                oA5pNPrHNx.exeGet hashmaliciousNanocoreBrowse
                                • 79.134.225.121

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):55400
                                Entropy (8bit):6.093991957600089
                                Encrypted:false
                                SSDEEP:768:kF9E8FLLs2Zokf85dImTg6Iq88nqf7PpjU/VifNL45bO:kfE6EkfOdImT/9KU/Vot45bO
                                MD5:17CC69238395DF61AAF483BCEF02E7C9
                                SHA1:B164C5DC95EBCC9ECB305E43789B57E7895781DE
                                SHA-256:A1661DB1B74B876A7E789FC6EBB4E34BEAFA2B48A08E13FD18927FBECC9D2AC4
                                SHA-512:308CC2AB766D2233E5F5F16EF0751C525BA3017C8A4D5177E2FF1A23CD12BAD4F43DADF01139CA163951916145C2F9465A9FA50D50A365AB86942FE55B916087
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                Reputation:moderate, very likely benign file
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0................. ........@.. ....................................`.................................t...O.......................h>..........<................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......t3..pc.............X...<........................................0..........s.....Y.....(.....Z.....&..(......+....(....o......r...p(....-..r...p(....,.....X....i2..-;(....(..........%.r!..p.(....(....((...(....(....(....( .....-.(7...(.....*.(....-..*.~S...-.~R....S...s!.....~W...o"....~U...o#....~V...o$....o%...~Y...o&...~S...~Q...~T....s'....P...~P...sE...o(............~W....@_,s.....()...r7..p.$(*........o+..........o,....2....... ....37(....(8.........%...o-....

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log

                                Download File
                                Process:C:\Users\user\Desktop\file.exe
                                File Type:CSV text
                                Category:dropped
                                Size (bytes):226
                                Entropy (8bit):5.354940450065058
                                Encrypted:false
                                SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2wlAsDZiIv:Q3La/KDLI4MWuPTxAIv
                                MD5:B10E37251C5B495643F331DB2EEC3394
                                SHA1:25A5FFE4C2554C2B9A7C2794C9FE215998871193
                                SHA-256:8A6B926C70F8DCFD915D68F167A1243B9DF7B9F642304F570CE584832D12102D
                                SHA-512:296BC182515900934AA96E996FC48B565B7857801A07FEFA0D3D1E0C165981B266B084E344DB5B53041D1171F9C6708B4EE0D444906391C4FC073BCC23B92C37
                                Malicious:true
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

                                Download File
                                Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:modified
                                Size (bytes):311
                                Entropy (8bit):5.323131242172993
                                Encrypted:false
                                SSDEEP:6:Q3La/xwchA2DLIP12MUAvvr3tDLIP12MUAvvR+uTL2LDY3U21v:Q3La/hhpDLI4M9tDLI4MWuPk21v
                                MD5:8722E88F9E6ACB8D431A70E7039AEB75
                                SHA1:28046D604A6500451BE3F539BAA6BA4BB68A70D0
                                SHA-256:3C0F25EBE9FE43091DE5A65EE92748F2B531F29DD2743B0D4E01DCCFADC95B5E
                                SHA-512:937092F2EDCABD47CD1896C5CFBAB8E7E443D1039650B3462DF0E301F6C53562A4B91FBF59A04957839DE5C121D061C08C6BD274E02DF2C8CC477F601C442C3B
                                Malicious:false
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..

                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                File Type:Non-ISO extended-ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):8
                                Entropy (8bit):3.0
                                Encrypted:false
                                SSDEEP:3:SOn:Zn
                                MD5:35C3B7D287B3D7DDA2548CB6799E9192
                                SHA1:FDD242386FADD4FAC7A8D93C639A25E8A0F4F2ED
                                SHA-256:0B2B3855EB67B8B74020AAEE373630892006E4D7F98E96607345909569FDCE97
                                SHA-512:ECAAC20D2BD04022BC333DF69F64D5BD35C40AD27DB3FDD4B9A054A4B1EE225903F9B1F89C8A89AC8B56843ED3DAB6352658E3F18743F987D7DBF1AE77283156
                                Malicious:true
                                Preview:.I.?.f.H

                                \Device\ConDrv

                                Download File
                                Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):221
                                Entropy (8bit):4.832091525010539
                                Encrypted:false
                                SSDEEP:6:zx3Me21f1LRJIQtUbw/VgRZBXVN+1GFJqozrCib:zKpj1JIdwqBFN+1Q3b
                                MD5:57D5333A79B0C23C3389A5E316FAD23D
                                SHA1:8D1047C6BF4929C993C504E2EF64D689C8F6BFC7
                                SHA-256:83324659D6790503513C9B336FE9C6E368B4A8E88F11543D328ED871B86D5AD7
                                SHA-512:FA15BD8DAABE061EC4629985E2500DA293817E32168EF91AB1F31CD2A322EC937236D86A58633862A7B40E7F15740C8A1F0E82EBB533334760E07CD84B6FF46A
                                Malicious:false
                                Preview:Microsoft (R) ASP.NET Compilation Tool version 4.7.3056.0..Utility to precompile an ASP.NET application..Copyright (C) Microsoft Corporation. All rights reserved.....Run 'aspnet_compiler -?' for a list of valid options...

                                Static File Info

                                General

                                File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):7.046283595928448
                                TrID:
                                • Win64 Executable GUI Net Framework (217006/5) 49.88%
                                • Win64 Executable GUI (202006/5) 46.43%
                                • Win64 Executable (generic) (12005/4) 2.76%
                                • Generic Win/DOS Executable (2004/3) 0.46%
                                • DOS Executable Generic (2002/1) 0.46%
                                File name:file.exe
                                File size:492032
                                MD5:462948d717e44bda852450260ec44d37
                                SHA1:dc2aab0e06f483ee853ebec53cdb126131c0c8d7
                                SHA256:1d28cee9d618d8f15b3875ea1ac44a8bf4d9c59171da3227ba3b973e0c9fdb1a
                                SHA512:33620c953b59d5bb149ef24eb73d4c972629faa01abe3ed6027f00b6d06611c12866f6334d6c8224422a5e64e3a8ae102debaa403d48dc4ce1519c3250ad8e21
                                SSDEEP:12288:OKC8ZS2btvRz4Ber6bHfbUyMD0v+c1ouiLNISO:TZSiYbUyN/1opx
                                TLSH:FAA49E8B3609E82DC1DC6777D6DB08145BA09E81B307E7067CC723A94D0B7BBAD49987
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....m...............0..z............... ....@...... ....................................`...@......@............... .....

                                File Icon

                                Icon Hash:90cececece8e8eb0

                                Static PE Info

                                General

                                Entrypoint:0x400000
                                Entrypoint Section:
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Time Stamp:0xB76DF3A6 [Sat Jul 9 11:25:26 2067 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:

                                Entrypoint Preview

                                Instruction
                                dec ebp
                                pop edx
                                nop
                                add byte ptr [ebx], al
                                add byte ptr [eax], al
                                add byte ptr [eax+eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x7a0000x5a8.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x799b10x1c.text
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000x77a000x77a00False0.6748546891327064data7.054014763171646IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rsrc0x7a0000x5a80x600False0.4212239583333333data4.127241324318816IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                RT_VERSION0x7a0a00x31cdata
                                RT_MANIFEST0x7a3bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jun 6, 2023 17:15:08.041075945 CEST4970162335192.168.2.779.134.225.109
                                Jun 6, 2023 17:15:08.064122915 CEST623354970179.134.225.109192.168.2.7
                                Jun 6, 2023 17:15:08.575122118 CEST4970162335192.168.2.779.134.225.109
                                Jun 6, 2023 17:15:08.598395109 CEST623354970179.134.225.109192.168.2.7
                                Jun 6, 2023 17:15:09.106395960 CEST4970162335192.168.2.779.134.225.109
                                Jun 6, 2023 17:15:09.129582882 CEST623354970179.134.225.109192.168.2.7
                                Jun 6, 2023 17:15:13.262106895 CEST4970262335192.168.2.779.134.225.109
                                Jun 6, 2023 17:15:13.285293102 CEST623354970279.134.225.109192.168.2.7
                                Jun 6, 2023 17:15:13.794352055 CEST4970262335192.168.2.779.134.225.109
                                Jun 6, 2023 17:15:13.817455053 CEST623354970279.134.225.109192.168.2.7
                                Jun 6, 2023 17:15:14.325635910 CEST4970262335192.168.2.779.134.225.109
                                Jun 6, 2023 17:15:14.348802090 CEST623354970279.134.225.109192.168.2.7
                                Jun 6, 2023 17:15:18.471764088 CEST4970362335192.168.2.779.134.225.109
                                Jun 6, 2023 17:15:18.494910002 CEST623354970379.134.225.109192.168.2.7
                                Jun 6, 2023 17:15:18.997859001 CEST4970362335192.168.2.779.134.225.109
                                Jun 6, 2023 17:15:19.020761967 CEST623354970379.134.225.109192.168.2.7
                                Jun 6, 2023 17:15:19.529185057 CEST4970362335192.168.2.779.134.225.109
                                Jun 6, 2023 17:15:19.556165934 CEST623354970379.134.225.109192.168.2.7
                                Jun 6, 2023 17:15:23.562443972 CEST4970462335192.168.2.791.193.75.178
                                Jun 6, 2023 17:15:23.606931925 CEST623354970491.193.75.178192.168.2.7
                                Jun 6, 2023 17:15:24.108072042 CEST4970462335192.168.2.791.193.75.178
                                Jun 6, 2023 17:15:24.153078079 CEST623354970491.193.75.178192.168.2.7
                                Jun 6, 2023 17:15:24.654901028 CEST4970462335192.168.2.791.193.75.178
                                Jun 6, 2023 17:15:24.700830936 CEST623354970491.193.75.178192.168.2.7
                                Jun 6, 2023 17:15:28.719141006 CEST4970562335192.168.2.791.193.75.178
                                Jun 6, 2023 17:15:28.763087034 CEST623354970591.193.75.178192.168.2.7
                                Jun 6, 2023 17:15:29.264481068 CEST4970562335192.168.2.791.193.75.178
                                Jun 6, 2023 17:15:29.308525085 CEST623354970591.193.75.178192.168.2.7
                                Jun 6, 2023 17:15:29.811388016 CEST4970562335192.168.2.791.193.75.178
                                Jun 6, 2023 17:15:29.855462074 CEST623354970591.193.75.178192.168.2.7
                                Jun 6, 2023 17:15:34.061952114 CEST4970662335192.168.2.791.193.75.178
                                Jun 6, 2023 17:15:34.106059074 CEST623354970691.193.75.178192.168.2.7
                                Jun 6, 2023 17:15:34.611581087 CEST4970662335192.168.2.791.193.75.178
                                Jun 6, 2023 17:15:34.655601978 CEST623354970691.193.75.178192.168.2.7
                                Jun 6, 2023 17:15:35.171221972 CEST4970662335192.168.2.791.193.75.178
                                Jun 6, 2023 17:15:35.215231895 CEST623354970691.193.75.178192.168.2.7
                                Jun 6, 2023 17:15:39.625550032 CEST4970762335192.168.2.779.134.225.109
                                Jun 6, 2023 17:15:42.640611887 CEST4970762335192.168.2.779.134.225.109
                                Jun 6, 2023 17:15:42.664053917 CEST623354970779.134.225.109192.168.2.7
                                Jun 6, 2023 17:15:43.171874046 CEST4970762335192.168.2.779.134.225.109
                                Jun 6, 2023 17:15:43.195173979 CEST623354970779.134.225.109192.168.2.7
                                Jun 6, 2023 17:15:49.271398067 CEST4970862335192.168.2.779.134.225.109
                                Jun 6, 2023 17:15:49.294245005 CEST623354970879.134.225.109192.168.2.7
                                Jun 6, 2023 17:15:49.813050985 CEST4970862335192.168.2.779.134.225.109
                                Jun 6, 2023 17:15:49.835954905 CEST623354970879.134.225.109192.168.2.7
                                Jun 6, 2023 17:15:50.344496012 CEST4970862335192.168.2.779.134.225.109
                                Jun 6, 2023 17:15:50.367347002 CEST623354970879.134.225.109192.168.2.7
                                Jun 6, 2023 17:15:54.428234100 CEST4970962335192.168.2.779.134.225.109
                                Jun 6, 2023 17:15:54.451291084 CEST623354970979.134.225.109192.168.2.7
                                Jun 6, 2023 17:15:54.954147100 CEST4970962335192.168.2.779.134.225.109
                                Jun 6, 2023 17:15:54.977171898 CEST623354970979.134.225.109192.168.2.7
                                Jun 6, 2023 17:15:55.641733885 CEST4970962335192.168.2.779.134.225.109
                                Jun 6, 2023 17:15:55.664686918 CEST623354970979.134.225.109192.168.2.7
                                Jun 6, 2023 17:15:59.694163084 CEST4971062335192.168.2.791.193.75.178
                                Jun 6, 2023 17:15:59.738123894 CEST623354971091.193.75.178192.168.2.7
                                Jun 6, 2023 17:16:00.251595020 CEST4971062335192.168.2.791.193.75.178
                                Jun 6, 2023 17:16:00.295561075 CEST623354971091.193.75.178192.168.2.7
                                Jun 6, 2023 17:16:00.798471928 CEST4971062335192.168.2.791.193.75.178
                                Jun 6, 2023 17:16:00.842293024 CEST623354971091.193.75.178192.168.2.7
                                Jun 6, 2023 17:16:04.862592936 CEST4971162335192.168.2.791.193.75.178
                                Jun 6, 2023 17:16:04.907056093 CEST623354971191.193.75.178192.168.2.7
                                Jun 6, 2023 17:16:05.408205032 CEST4971162335192.168.2.791.193.75.178
                                Jun 6, 2023 17:16:05.453219891 CEST623354971191.193.75.178192.168.2.7
                                Jun 6, 2023 17:16:05.955111980 CEST4971162335192.168.2.791.193.75.178
                                Jun 6, 2023 17:16:05.999815941 CEST623354971191.193.75.178192.168.2.7
                                Jun 6, 2023 17:16:10.003779888 CEST4971262335192.168.2.791.193.75.178
                                Jun 6, 2023 17:16:10.047799110 CEST623354971291.193.75.178192.168.2.7
                                Jun 6, 2023 17:16:10.549226999 CEST4971262335192.168.2.791.193.75.178
                                Jun 6, 2023 17:16:10.593605042 CEST623354971291.193.75.178192.168.2.7
                                Jun 6, 2023 17:16:11.096235991 CEST4971262335192.168.2.791.193.75.178
                                Jun 6, 2023 17:16:11.140382051 CEST623354971291.193.75.178192.168.2.7
                                Jun 6, 2023 17:16:15.266731977 CEST4971362335192.168.2.779.134.225.109
                                Jun 6, 2023 17:16:15.289588928 CEST623354971379.134.225.109192.168.2.7
                                Jun 6, 2023 17:16:15.799732924 CEST4971362335192.168.2.779.134.225.109
                                Jun 6, 2023 17:16:15.822609901 CEST623354971379.134.225.109192.168.2.7
                                Jun 6, 2023 17:16:16.331099987 CEST4971362335192.168.2.779.134.225.109
                                Jun 6, 2023 17:16:16.355072975 CEST623354971379.134.225.109192.168.2.7
                                Jun 6, 2023 17:16:20.413760900 CEST4971462335192.168.2.779.134.225.109
                                Jun 6, 2023 17:16:20.436634064 CEST623354971479.134.225.109192.168.2.7
                                Jun 6, 2023 17:16:20.940757036 CEST4971462335192.168.2.779.134.225.109
                                Jun 6, 2023 17:16:20.963783026 CEST623354971479.134.225.109192.168.2.7
                                Jun 6, 2023 17:16:21.472040892 CEST4971462335192.168.2.779.134.225.109
                                Jun 6, 2023 17:16:21.495032072 CEST623354971479.134.225.109192.168.2.7
                                Jun 6, 2023 17:16:25.562000036 CEST4971562335192.168.2.779.134.225.109
                                Jun 6, 2023 17:16:25.585058928 CEST623354971579.134.225.109192.168.2.7
                                Jun 6, 2023 17:16:26.097568989 CEST4971562335192.168.2.779.134.225.109
                                Jun 6, 2023 17:16:26.120632887 CEST623354971579.134.225.109192.168.2.7
                                Jun 6, 2023 17:16:26.628866911 CEST4971562335192.168.2.779.134.225.109
                                Jun 6, 2023 17:16:26.652060986 CEST623354971579.134.225.109192.168.2.7
                                Jun 6, 2023 17:16:31.361818075 CEST4971662335192.168.2.791.193.75.178
                                Jun 6, 2023 17:16:31.406481981 CEST623354971691.193.75.178192.168.2.7
                                Jun 6, 2023 17:16:31.910552979 CEST4971662335192.168.2.791.193.75.178
                                Jun 6, 2023 17:16:31.954881907 CEST623354971691.193.75.178192.168.2.7
                                Jun 6, 2023 17:16:32.458163023 CEST4971662335192.168.2.791.193.75.178
                                Jun 6, 2023 17:16:32.505105972 CEST623354971691.193.75.178192.168.2.7
                                Jun 6, 2023 17:16:36.522037029 CEST4971762335192.168.2.791.193.75.178
                                Jun 6, 2023 17:16:36.566148996 CEST623354971791.193.75.178192.168.2.7
                                Jun 6, 2023 17:16:37.067183971 CEST4971762335192.168.2.791.193.75.178
                                Jun 6, 2023 17:16:37.111156940 CEST623354971791.193.75.178192.168.2.7
                                Jun 6, 2023 17:16:37.614214897 CEST4971762335192.168.2.791.193.75.178
                                Jun 6, 2023 17:16:37.658338070 CEST623354971791.193.75.178192.168.2.7
                                Jun 6, 2023 17:16:41.662724972 CEST4971862335192.168.2.791.193.75.178
                                Jun 6, 2023 17:16:41.707101107 CEST623354971891.193.75.178192.168.2.7
                                Jun 6, 2023 17:16:42.221990108 CEST4971862335192.168.2.791.193.75.178
                                Jun 6, 2023 17:16:42.266382933 CEST623354971891.193.75.178192.168.2.7
                                Jun 6, 2023 17:16:42.780363083 CEST4971862335192.168.2.791.193.75.178
                                Jun 6, 2023 17:16:42.824769020 CEST623354971891.193.75.178192.168.2.7
                                Jun 6, 2023 17:16:47.269637108 CEST4971962335192.168.2.779.134.225.109
                                Jun 6, 2023 17:16:47.292551994 CEST623354971979.134.225.109192.168.2.7
                                Jun 6, 2023 17:16:47.795588017 CEST4971962335192.168.2.779.134.225.109
                                Jun 6, 2023 17:16:47.818490982 CEST623354971979.134.225.109192.168.2.7
                                Jun 6, 2023 17:16:48.342046976 CEST4971962335192.168.2.779.134.225.109
                                Jun 6, 2023 17:16:48.365041971 CEST623354971979.134.225.109192.168.2.7
                                Jun 6, 2023 17:16:52.685977936 CEST4972062335192.168.2.779.134.225.109
                                Jun 6, 2023 17:16:52.708775043 CEST623354972079.134.225.109192.168.2.7
                                Jun 6, 2023 17:16:53.217464924 CEST4972062335192.168.2.779.134.225.109
                                Jun 6, 2023 17:16:53.240200043 CEST623354972079.134.225.109192.168.2.7
                                Jun 6, 2023 17:16:53.748728991 CEST4972062335192.168.2.779.134.225.109
                                Jun 6, 2023 17:16:53.771419048 CEST623354972079.134.225.109192.168.2.7
                                Jun 6, 2023 17:16:57.823483944 CEST4972162335192.168.2.779.134.225.109
                                Jun 6, 2023 17:16:57.846434116 CEST623354972179.134.225.109192.168.2.7
                                Jun 6, 2023 17:16:58.358500004 CEST4972162335192.168.2.779.134.225.109
                                Jun 6, 2023 17:16:58.381515980 CEST623354972179.134.225.109192.168.2.7
                                Jun 6, 2023 17:16:58.889863014 CEST4972162335192.168.2.779.134.225.109
                                Jun 6, 2023 17:16:58.913134098 CEST623354972179.134.225.109192.168.2.7
                                Jun 6, 2023 17:17:02.953772068 CEST4972262335192.168.2.791.193.75.178
                                Jun 6, 2023 17:17:02.997927904 CEST623354972291.193.75.178192.168.2.7
                                Jun 6, 2023 17:17:03.499665976 CEST4972262335192.168.2.791.193.75.178
                                Jun 6, 2023 17:17:03.544055939 CEST623354972291.193.75.178192.168.2.7
                                Jun 6, 2023 17:17:04.046472073 CEST4972262335192.168.2.791.193.75.178
                                Jun 6, 2023 17:17:04.090801001 CEST623354972291.193.75.178192.168.2.7

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jun 6, 2023 17:15:07.998409986 CEST5050553192.168.2.78.8.8.8
                                Jun 6, 2023 17:15:08.025670052 CEST53505058.8.8.8192.168.2.7
                                Jun 6, 2023 17:15:13.234164000 CEST6117853192.168.2.78.8.8.8
                                Jun 6, 2023 17:15:13.260972023 CEST53611788.8.8.8192.168.2.7
                                Jun 6, 2023 17:15:18.433037996 CEST6392653192.168.2.78.8.8.8
                                Jun 6, 2023 17:15:18.468348980 CEST53639268.8.8.8192.168.2.7
                                Jun 6, 2023 17:15:39.592907906 CEST5333653192.168.2.78.8.8.8
                                Jun 6, 2023 17:15:39.622659922 CEST53533368.8.8.8192.168.2.7
                                Jun 6, 2023 17:15:47.244153023 CEST5100753192.168.2.78.8.8.8
                                Jun 6, 2023 17:15:48.235038042 CEST5100753192.168.2.78.8.8.8
                                Jun 6, 2023 17:15:49.251396894 CEST5100753192.168.2.78.8.8.8
                                Jun 6, 2023 17:15:49.266007900 CEST53510078.8.8.8192.168.2.7
                                Jun 6, 2023 17:15:54.400418997 CEST5051353192.168.2.78.8.8.8
                                Jun 6, 2023 17:15:54.427000046 CEST53505138.8.8.8192.168.2.7
                                Jun 6, 2023 17:16:15.239398956 CEST6076553192.168.2.78.8.8.8
                                Jun 6, 2023 17:16:15.265321970 CEST53607658.8.8.8192.168.2.7
                                Jun 6, 2023 17:16:20.392754078 CEST5828353192.168.2.78.8.8.8
                                Jun 6, 2023 17:16:20.412233114 CEST53582838.8.8.8192.168.2.7
                                Jun 6, 2023 17:16:25.534626961 CEST5002453192.168.2.78.8.8.8
                                Jun 6, 2023 17:16:25.560704947 CEST53500248.8.8.8192.168.2.7
                                Jun 6, 2023 17:16:47.245126009 CEST4951653192.168.2.78.8.8.8
                                Jun 6, 2023 17:16:47.265167952 CEST53495168.8.8.8192.168.2.7
                                Jun 6, 2023 17:16:52.649135113 CEST6267953192.168.2.78.8.8.8
                                Jun 6, 2023 17:16:52.684768915 CEST53626798.8.8.8192.168.2.7
                                Jun 6, 2023 17:16:57.794095039 CEST6139253192.168.2.78.8.8.8
                                Jun 6, 2023 17:16:57.822252989 CEST53613928.8.8.8192.168.2.7

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Jun 6, 2023 17:15:07.998409986 CEST192.168.2.78.8.8.80x6942Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
                                Jun 6, 2023 17:15:13.234164000 CEST192.168.2.78.8.8.80xc87aStandard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
                                Jun 6, 2023 17:15:18.433037996 CEST192.168.2.78.8.8.80x96eStandard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
                                Jun 6, 2023 17:15:39.592907906 CEST192.168.2.78.8.8.80xdc39Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
                                Jun 6, 2023 17:15:47.244153023 CEST192.168.2.78.8.8.80xecbaStandard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
                                Jun 6, 2023 17:15:48.235038042 CEST192.168.2.78.8.8.80xecbaStandard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
                                Jun 6, 2023 17:15:49.251396894 CEST192.168.2.78.8.8.80xecbaStandard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
                                Jun 6, 2023 17:15:54.400418997 CEST192.168.2.78.8.8.80xf336Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
                                Jun 6, 2023 17:16:15.239398956 CEST192.168.2.78.8.8.80x5e3fStandard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
                                Jun 6, 2023 17:16:20.392754078 CEST192.168.2.78.8.8.80x9e74Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
                                Jun 6, 2023 17:16:25.534626961 CEST192.168.2.78.8.8.80xb958Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
                                Jun 6, 2023 17:16:47.245126009 CEST192.168.2.78.8.8.80x236cStandard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
                                Jun 6, 2023 17:16:52.649135113 CEST192.168.2.78.8.8.80xa3d1Standard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false
                                Jun 6, 2023 17:16:57.794095039 CEST192.168.2.78.8.8.80x6ecStandard query (0)ezemnia3.ddns.netA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Jun 6, 2023 17:15:08.025670052 CEST8.8.8.8192.168.2.70x6942No error (0)ezemnia3.ddns.net79.134.225.109A (IP address)IN (0x0001)false
                                Jun 6, 2023 17:15:13.260972023 CEST8.8.8.8192.168.2.70xc87aNo error (0)ezemnia3.ddns.net79.134.225.109A (IP address)IN (0x0001)false
                                Jun 6, 2023 17:15:18.468348980 CEST8.8.8.8192.168.2.70x96eNo error (0)ezemnia3.ddns.net79.134.225.109A (IP address)IN (0x0001)false
                                Jun 6, 2023 17:15:39.622659922 CEST8.8.8.8192.168.2.70xdc39No error (0)ezemnia3.ddns.net79.134.225.109A (IP address)IN (0x0001)false
                                Jun 6, 2023 17:15:49.266007900 CEST8.8.8.8192.168.2.70xecbaNo error (0)ezemnia3.ddns.net79.134.225.109A (IP address)IN (0x0001)false
                                Jun 6, 2023 17:15:54.427000046 CEST8.8.8.8192.168.2.70xf336No error (0)ezemnia3.ddns.net79.134.225.109A (IP address)IN (0x0001)false
                                Jun 6, 2023 17:16:15.265321970 CEST8.8.8.8192.168.2.70x5e3fNo error (0)ezemnia3.ddns.net79.134.225.109A (IP address)IN (0x0001)false
                                Jun 6, 2023 17:16:20.412233114 CEST8.8.8.8192.168.2.70x9e74No error (0)ezemnia3.ddns.net79.134.225.109A (IP address)IN (0x0001)false
                                Jun 6, 2023 17:16:25.560704947 CEST8.8.8.8192.168.2.70xb958No error (0)ezemnia3.ddns.net79.134.225.109A (IP address)IN (0x0001)false
                                Jun 6, 2023 17:16:47.265167952 CEST8.8.8.8192.168.2.70x236cNo error (0)ezemnia3.ddns.net79.134.225.109A (IP address)IN (0x0001)false
                                Jun 6, 2023 17:16:52.684768915 CEST8.8.8.8192.168.2.70xa3d1No error (0)ezemnia3.ddns.net79.134.225.109A (IP address)IN (0x0001)false
                                Jun 6, 2023 17:16:57.822252989 CEST8.8.8.8192.168.2.70x6ecNo error (0)ezemnia3.ddns.net79.134.225.109A (IP address)IN (0x0001)false

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:17:14:59
                                Start date:06/06/2023
                                Path:C:\Users\user\Desktop\file.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Users\user\Desktop\file.exe
                                Imagebase:0x21a8f880000
                                File size:492032 bytes
                                MD5 hash:462948D717E44BDA852450260EC44D37
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.355215154.0000021AA483E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                Reputation:low

                                General

                                Target ID:1
                                Start time:17:15:05
                                Start date:06/06/2023
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                Imagebase:0x4a0000
                                File size:55400 bytes
                                MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.612406420.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.605881563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.612460199.0000000005170000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.611319560.0000000003849000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.606910359.0000000002801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.606910359.0000000002801000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                Reputation:high

                                General

                                Target ID:2
                                Start time:17:15:17
                                Start date:06/06/2023
                                Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                                Imagebase:0xb80000
                                File size:55400 bytes
                                MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:.Net C# or VB.NET
                                Antivirus matches:
                                • Detection: 0%, ReversingLabs
                                Reputation:high

                                General

                                Target ID:3
                                Start time:17:15:18
                                Start date:06/06/2023
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6edaf0000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Disassembly

                                Reset < >

                                  Executed Functions

                                  Function 00007FFDC2A91B1C Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.357469797.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffdc2a90000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: *
                                  • API String ID: 0-163128923
                                  • Opcode ID: ef5d675736ca36031b236d10c536c22e40ef77cb66aa87bd2630fb345f4543f5
                                  • Instruction ID: 7f7e395e5b3e163ec675d0052ecc41df9f2001e22da1eb4ecfedd5a4e42562e8
                                  • Opcode Fuzzy Hash: ef5d675736ca36031b236d10c536c22e40ef77cb66aa87bd2630fb345f4543f5
                                  • Instruction Fuzzy Hash: 2E11AC70A1962C8FEBA4EF18C895BE8B7B1FB18301F1040E9D40DE7291DA74AE818F41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFDC2A9131D Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.357469797.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffdc2a90000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :
                                  • API String ID: 0-336475711
                                  • Opcode ID: 5cccb09532c278541a74c84b4aa5e4071960608f9cf25596e8b3c5c5eafb3bc9
                                  • Instruction ID: 974e613beb89cf5af7dcbd1d37a5f26bd58243977ee18c29ec66a108dce91876
                                  • Opcode Fuzzy Hash: 5cccb09532c278541a74c84b4aa5e4071960608f9cf25596e8b3c5c5eafb3bc9
                                  • Instruction Fuzzy Hash: 5C01F670E095098EEB64EF15D8A47E8B7B2EB59311F1041BAD00DA3291DFB92E848B80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFDC2A9540E Relevance: .3, Instructions: 277COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.357469797.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffdc2a90000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1831c86c946b83edea8a025d38342095760b9b32efb6d0f0ab65fec57e59bbba
                                  • Instruction ID: deb2a3979c0b887c17e3b21634827132c4c2cb9da6acffa0f49e993bef8df599
                                  • Opcode Fuzzy Hash: 1831c86c946b83edea8a025d38342095760b9b32efb6d0f0ab65fec57e59bbba
                                  • Instruction Fuzzy Hash: 27B1A875A0591C8FDB99EF18C895BA8B7B1FF59301F1041EAD04DE7261DA716E81CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFDC2A95265 Relevance: .2, Instructions: 171COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.357469797.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffdc2a90000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb20d92f3e5d5e729a464f7b8fe93546539b6be6dd97c7960ec903c8249759a2
                                  • Instruction ID: ba63b84584bea4d337249292f8ec651fa0cb352bfef12760ded33761c553e7dd
                                  • Opcode Fuzzy Hash: fb20d92f3e5d5e729a464f7b8fe93546539b6be6dd97c7960ec903c8249759a2
                                  • Instruction Fuzzy Hash: 69519630A08A5D8FEB95EF18C4656A87BF1FF5A301F1401FAD04DD72A2DEB1A981CB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFDC2A93AED Relevance: .1, Instructions: 111COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.357469797.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffdc2a90000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1979db7461748b666978a0a94d4fd3e1d6224d51c9437f3b5940de89a8f9165e
                                  • Instruction ID: 3e0cb8629acbf15783836a40a3a2cc0b5eae08a76306a6baae391f8ce273f0b1
                                  • Opcode Fuzzy Hash: 1979db7461748b666978a0a94d4fd3e1d6224d51c9437f3b5940de89a8f9165e
                                  • Instruction Fuzzy Hash: F6314C31A0854ACFEF80FF68D885AED7BA0FF68311F1001B6E508C7261DB74A5A5CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFDC2A98C15 Relevance: .1, Instructions: 89COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.357469797.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffdc2a90000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cca5ff544d8e9b07acf77eee95c7f468f9919a462a9d3cf67e9d7e581e570895
                                  • Instruction ID: d33e794bb434e464f00c4ff558f1b9f38db552fd0ec83590740ee5c0d412d52b
                                  • Opcode Fuzzy Hash: cca5ff544d8e9b07acf77eee95c7f468f9919a462a9d3cf67e9d7e581e570895
                                  • Instruction Fuzzy Hash: 8631B372E0E68A4FEB5A9F5588215FD7BB1EF46301F0401BAC055DB3D2DBB82906C781
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFDC2A91E4B Relevance: .1, Instructions: 80COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.357469797.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffdc2a90000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 337b48dc47ba43b44b368d0f2545e1adac551099b97be6c981d118740bd79773
                                  • Instruction ID: 025e86c8d4a2e7622b1b730cf17949875c5428314ed9c34f12cd2991ee1be07f
                                  • Opcode Fuzzy Hash: 337b48dc47ba43b44b368d0f2545e1adac551099b97be6c981d118740bd79773
                                  • Instruction Fuzzy Hash: 0821026284E3C54FE7036B745C765A17FB0AF13214B0A06EBD4C1CB1A3E9881A59C762
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFDC2A900D8 Relevance: .1, Instructions: 74COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.357469797.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffdc2a90000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: af82b884c38b039e49bb5064851e3f94a3b84499681765aedf868eee7d711c7e
                                  • Instruction ID: 232f472728aa1269379b20afe82189458865cd7e9a646876167b09846031c9fe
                                  • Opcode Fuzzy Hash: af82b884c38b039e49bb5064851e3f94a3b84499681765aedf868eee7d711c7e
                                  • Instruction Fuzzy Hash: 6E219336A08609CFEB55FF6CE8446E973A0FF48321F00017AE55CCB1A2DB74A599CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFDC2A9905A Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.357469797.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffdc2a90000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ff7abd3b179372e9a3d9362f2ce4529b45b02f605581f01b96c248ca26594561
                                  • Instruction ID: 3d758bd19ab64bc99fb6c7e4ad678c97afe28ae9a89d38fd863e9a980bcc33de
                                  • Opcode Fuzzy Hash: ff7abd3b179372e9a3d9362f2ce4529b45b02f605581f01b96c248ca26594561
                                  • Instruction Fuzzy Hash: F1112934E0861E9FEB54EF55C4182ED73F1EB48301F104679D419E3281DAB96D468B95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFDC2A90C1C Relevance: .1, Instructions: 54COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.357469797.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffdc2a90000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7a1783594c5f12770955e37ea09cca147c9a556544efbe96b07d12b55279206b
                                  • Instruction ID: cfa317b4aba266484b342d43ae391d54f07f98f36a0a5e7d9d707acfa4fb4bce
                                  • Opcode Fuzzy Hash: 7a1783594c5f12770955e37ea09cca147c9a556544efbe96b07d12b55279206b
                                  • Instruction Fuzzy Hash: D71117709089198FEB51EF15C898BA9B3B1FF58341F5141EAD40ED72A2EEB46D81CF80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFDC2A9934E Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.357469797.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffdc2a90000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 99bec60d8d7b4d8549a80d6582882dfb2b22599a1b0e0fadd44f98528aebb24d
                                  • Instruction ID: e1c1dbbc5f884ce0b797d8bffbd6b7ed8a424ff2820c8444ad9811e688380a39
                                  • Opcode Fuzzy Hash: 99bec60d8d7b4d8549a80d6582882dfb2b22599a1b0e0fadd44f98528aebb24d
                                  • Instruction Fuzzy Hash: 3211FC70E0821ADEEB50EF96C4546ADB7B0FF54302F104175D40DDB391DA786546CF85
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFDC2A97E60 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.357469797.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffdc2a90000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bf489fdc6c1da43dbe709b307d90df0070618b4134143d00c22697dfb30b6655
                                  • Instruction ID: 660cdb0af2bd1d089a6751822aac840c82d857292f405bc13f0e6547c6cf0407
                                  • Opcode Fuzzy Hash: bf489fdc6c1da43dbe709b307d90df0070618b4134143d00c22697dfb30b6655
                                  • Instruction Fuzzy Hash: F0115174D082498FD755EF69D8A46BCBBB0EF09341F1441BAD40DEB3A1DAB41985CF60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFDC2A97E05 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.357469797.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffdc2a90000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d2bed5eb6afd49452dfdaf53537467cd32bd965047d04cbd62e090631cd22880
                                  • Instruction ID: d7a0d5f551dc09f2200a559406016e0ebb9ccf63c5dfa6e1eccafdf81058166f
                                  • Opcode Fuzzy Hash: d2bed5eb6afd49452dfdaf53537467cd32bd965047d04cbd62e090631cd22880
                                  • Instruction Fuzzy Hash: C51129B0D082498FDB95EF59D8A47ACBBB0EF09311F1040BAD00DE7391DAB42A85CB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFDC2A97E88 Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.357469797.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffdc2a90000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4dba5814ecdf84818487bafe857edeefa7f533df88eb094dc7b0c539d768fa2b
                                  • Instruction ID: 64af9d2ff72d94684db9c1915ec738ff6167c33a068b20510fc7b32d23b680a1
                                  • Opcode Fuzzy Hash: 4dba5814ecdf84818487bafe857edeefa7f533df88eb094dc7b0c539d768fa2b
                                  • Instruction Fuzzy Hash: E0015E71E081198EEB55EF48EC947E8BBB1FB44321F1042BAD449D7291DAB82A81CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFDC2A96660 Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.357469797.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffdc2a90000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1cac25dcbc499b8187139c218491de29673c56d8ef6fa0c2688f953192900874
                                  • Instruction ID: 4b641dcda041021e9ce855e57ae53447eec51fa27b6c2aa81aad748b802b43ed
                                  • Opcode Fuzzy Hash: 1cac25dcbc499b8187139c218491de29673c56d8ef6fa0c2688f953192900874
                                  • Instruction Fuzzy Hash: 00114A7490491D8FDF94EF09C894FA9B7B2FB98301F1042E9900DE7265CA719D81CF84
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFDC2A98DE5 Relevance: .0, Instructions: 41COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.357469797.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffdc2a90000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5028136a70dc7e10bd926303c359975acac9e366562ffdd25b94b5a8f713e158
                                  • Instruction ID: e7fc3c5f407e7e54674cdcb1265809ad3538b1c4d8aedb218f19c627ebe5cb61
                                  • Opcode Fuzzy Hash: 5028136a70dc7e10bd926303c359975acac9e366562ffdd25b94b5a8f713e158
                                  • Instruction Fuzzy Hash: B7015E75A0A25A8FEB89AF55D824AFE7771EF01311F04466AC015DB291CBB82946C780
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFDC2A900E0 Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.357469797.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffdc2a90000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3e6cbfa056964dbffbc78452076e586fae1879e0273cd597d245978c358d70e6
                                  • Instruction ID: f99d1859c39b0c401582fc6926f15d8f5af3b7653681cb19feaa9347f31e89c7
                                  • Opcode Fuzzy Hash: 3e6cbfa056964dbffbc78452076e586fae1879e0273cd597d245978c358d70e6
                                  • Instruction Fuzzy Hash: DAF09632E0821A8BEB10BF79EC055E97320AF45321F00457AD5588F1F2DF796599CAC5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFDC2A900E8 Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.357469797.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffdc2a90000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0316b96cb833296128c51157de4bea52d8fa1e9910b496d4760da6736056c445
                                  • Instruction ID: aefeeeb56eab45802dc51a63c2be561be0b03a25c30d3b253b5def6bef48ec0e
                                  • Opcode Fuzzy Hash: 0316b96cb833296128c51157de4bea52d8fa1e9910b496d4760da6736056c445
                                  • Instruction Fuzzy Hash: 74F0AE32E0811686FB11BF79EC051E97320FF45311F00453AD55C8B2E1DF786599CAD5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFDC2A900F0 Relevance: .0, Instructions: 30COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.357469797.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffdc2a90000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 79972152858322ce4dd27fbb2f3185d5fdf177330de8f989a3ae1768c455dd70
                                  • Instruction ID: 3c6d3d21d3a443c1b0b66e1db8f4af24b29123b2bcb47c140ca56f0c3a37ac45
                                  • Opcode Fuzzy Hash: 79972152858322ce4dd27fbb2f3185d5fdf177330de8f989a3ae1768c455dd70
                                  • Instruction Fuzzy Hash: 91F0A031D0821A8AFB01BF35AC051E93320AF45310F00053AE55C8B2E29FB825A9CA89
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFDC2A974D1 Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.357469797.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffdc2a90000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 654a2972adf7453aeb22080782a0e1b9f05c0835dfefb14d15b487acf2d790ca
                                  • Instruction ID: 506716369ae6ee6f4a7b21e7e22eaca2f44823322e05ed1666d8a084891e5fee
                                  • Opcode Fuzzy Hash: 654a2972adf7453aeb22080782a0e1b9f05c0835dfefb14d15b487acf2d790ca
                                  • Instruction Fuzzy Hash: 2EE09236B4441DCFDF21EE58E8411E9B371FF94322F4400B2D40DC7250DA72AA96CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFDC2A900D0 Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.357469797.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffdc2a90000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb0357830eccf91efc46276b3ee43516baed448af5013f75b3954cce8a9c2e95
                                  • Instruction ID: 2d80e3669cb5799aa3cf9b37b4e9dd842895b862deb4e38d0ce26ebe6143d85f
                                  • Opcode Fuzzy Hash: fb0357830eccf91efc46276b3ee43516baed448af5013f75b3954cce8a9c2e95
                                  • Instruction Fuzzy Hash: 81E0ED3591494D9FEB90EF6488496EEB7E0FF18305F50457AE81CD3290DEB4A694CF81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFDC2A933F5 Relevance: .0, Instructions: 23COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.357469797.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffdc2a90000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2e27bef543e527f4da92c20200486f59faf050ba45f873cda52f33263bdca041
                                  • Instruction ID: bea15fd49c3ca3eb5477680e5296c20eccbf0da08a3dc5f5c41098738537d9c8
                                  • Opcode Fuzzy Hash: 2e27bef543e527f4da92c20200486f59faf050ba45f873cda52f33263bdca041
                                  • Instruction Fuzzy Hash: B0E0DF2284D2C84BE3226E2058692E83F60EF82301F9A01B6E048861D2EE9D55598382
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFDC2A9752D Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.357469797.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffdc2a90000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 04ee69497c8d7601bde3aaa8a63e59e51c4137c57462a4e5a774e30803880cf3
                                  • Instruction ID: 9af80635971b0660c0533f0a404bd19726cac31ad57daf952b72e2ab026f043d
                                  • Opcode Fuzzy Hash: 04ee69497c8d7601bde3aaa8a63e59e51c4137c57462a4e5a774e30803880cf3
                                  • Instruction Fuzzy Hash: 6DD0A73554460D8FC710FF45E0001D47361FB84315F00057AD40DC7241C7379662CB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFDC2A91A74 Relevance: .0, Instructions: 12COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.357469797.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffdc2a90000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c7fb794003063f99333de45ff05a83dbde48dd55f4a16a74b73e384c9db63806
                                  • Instruction ID: ecf478e34207605eedcec140d98c411c71f9523e670b65407d5a340b032b7eb0
                                  • Opcode Fuzzy Hash: c7fb794003063f99333de45ff05a83dbde48dd55f4a16a74b73e384c9db63806
                                  • Instruction Fuzzy Hash: 15D0C27190492D9EDBA9DE1988A63E9B6A1EB58301F5040AF810EE2691DE725A819F01
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFDC2A9375E Relevance: .0, Instructions: 9COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.357469797.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffdc2a90000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: af5c1b82330fbdd6a035b8a69cbb12ddabf5a1c66f10af4149a4f1912513d1ca
                                  • Instruction ID: dddb52571d92fe85539cdc282f0b5865b39fd7724497567983a77b258dfc47cb
                                  • Opcode Fuzzy Hash: af5c1b82330fbdd6a035b8a69cbb12ddabf5a1c66f10af4149a4f1912513d1ca
                                  • Instruction Fuzzy Hash: 0CC09232D0490CAF9F80EF9994459ECBBF0FB18302F0041A2E90CE3201DE31A6A18B80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FFDC2A97793 Relevance: .0, Instructions: 5COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.357469797.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffdc2a90000_file.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c9ac01959f451ede862bdd786e0a2abd3a584fd689fc0c7a258668d57abbd830
                                  • Instruction ID: 1b0c1a0572d4c9c499a3215ac427cddedc85915d74820ce4ee415db4389c06bc
                                  • Opcode Fuzzy Hash: c9ac01959f451ede862bdd786e0a2abd3a584fd689fc0c7a258668d57abbd830
                                  • Instruction Fuzzy Hash: 79B092B0A0800A8AE740AE96DC602BDA6706F40301F000034A219D3281CFB928428684
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Execution Graph

                                  Execution Coverage:11.2%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:130
                                  Total number of Limit Nodes:8
                                  execution_graph 18518 4c5fe40 SetWindowLongW 18519 4c5feac 18518->18519 18520 4c5bd00 DuplicateHandle 18521 4c5bd96 18520->18521 18559 4c5b6d0 GetCurrentProcess 18560 4c5b743 18559->18560 18561 4c5b74a GetCurrentThread 18559->18561 18560->18561 18562 4c5b787 GetCurrentProcess 18561->18562 18563 4c5b780 18561->18563 18564 4c5b7bd 18562->18564 18563->18562 18565 4c5b7e5 GetCurrentThreadId 18564->18565 18566 4c5b816 18565->18566 18642 4c592f0 18643 4c592ff 18642->18643 18646 4c593df 18642->18646 18654 4c593e8 18642->18654 18647 4c593fb 18646->18647 18648 4c59413 18647->18648 18662 4c59670 18647->18662 18666 4c5966b 18647->18666 18648->18643 18649 4c5940b 18649->18648 18650 4c59610 GetModuleHandleW 18649->18650 18651 4c5963d 18650->18651 18651->18643 18655 4c593fb 18654->18655 18656 4c59413 18655->18656 18660 4c59670 LoadLibraryExW 18655->18660 18661 4c5966b LoadLibraryExW 18655->18661 18656->18643 18657 4c5940b 18657->18656 18658 4c59610 GetModuleHandleW 18657->18658 18659 4c5963d 18658->18659 18659->18643 18660->18657 18661->18657 18663 4c59684 18662->18663 18664 4c596a9 18663->18664 18670 4c58768 18663->18670 18664->18649 18667 4c59684 18666->18667 18668 4c58768 LoadLibraryExW 18667->18668 18669 4c596a9 18667->18669 18668->18669 18669->18649 18671 4c59850 LoadLibraryExW 18670->18671 18673 4c598c9 18671->18673 18673->18664 18567 4c56758 18569 4c56766 18567->18569 18570 4c56344 18567->18570 18571 4c5634f 18570->18571 18574 4c56394 18571->18574 18573 4c5688d 18573->18569 18575 4c5639f 18574->18575 18578 4c563c4 18575->18578 18577 4c56962 18577->18573 18579 4c563cf 18578->18579 18582 4c563f4 18579->18582 18581 4c56a62 18581->18577 18583 4c563ff 18582->18583 18584 4c56f29 18583->18584 18588 4c571c9 18583->18588 18585 4c571bc 18584->18585 18593 4c5b407 18584->18593 18585->18581 18589 4c571ab 18588->18589 18591 4c571e3 18588->18591 18590 4c571bc 18589->18590 18592 4c5b407 5 API calls 18589->18592 18590->18584 18591->18584 18592->18590 18594 4c5b429 18593->18594 18595 4c5b44d 18594->18595 18599 4c5b587 18594->18599 18604 4c5b5b8 18594->18604 18608 4c5b5c2 18594->18608 18595->18585 18600 4c5b5d3 18599->18600 18601 4c5b58b 18599->18601 18603 4c5b5ff 18600->18603 18612 4c5a0ec 18600->18612 18601->18595 18603->18595 18606 4c5b5c5 18604->18606 18605 4c5b5ff 18605->18595 18606->18605 18607 4c5a0ec 5 API calls 18606->18607 18607->18605 18609 4c5b5cb 18608->18609 18610 4c5b5ff 18609->18610 18611 4c5a0ec 5 API calls 18609->18611 18610->18595 18611->18610 18613 4c5a0f7 18612->18613 18615 4c5c2f8 18613->18615 18616 4c5b904 18613->18616 18615->18615 18617 4c5b90f 18616->18617 18618 4c5c367 18617->18618 18619 4c563f4 5 API calls 18617->18619 18626 4c5c3d7 18618->18626 18632 4c5c3e0 18618->18632 18619->18618 18620 4c5c375 18622 4c5e0f0 LoadLibraryExW GetModuleHandleW 18620->18622 18623 4c5e0eb LoadLibraryExW GetModuleHandleW 18620->18623 18621 4c5c3a0 18621->18615 18622->18621 18623->18621 18627 4c5c40e 18626->18627 18629 4c5c437 18627->18629 18631 4c5c4df 18627->18631 18638 4c5b9a0 18627->18638 18630 4c5c4da KiUserCallbackDispatcher 18629->18630 18629->18631 18630->18631 18633 4c5c40e 18632->18633 18634 4c5b9a0 GetFocus 18633->18634 18635 4c5c437 18633->18635 18637 4c5c4df 18633->18637 18634->18635 18636 4c5c4da KiUserCallbackDispatcher 18635->18636 18635->18637 18636->18637 18639 4c5b9ab 18638->18639 18640 4c5ba14 GetFocus 18639->18640 18641 4c5c9f5 18639->18641 18640->18641 18641->18629 18674 4c5fbf8 18675 4c5fc60 CreateWindowExW 18674->18675 18677 4c5fd1c 18675->18677 18522 5de31d0 18523 5de31d9 18522->18523 18527 5de3258 18523->18527 18532 5de3248 18523->18532 18524 5de320a 18528 5de325d 18527->18528 18537 5de3290 18528->18537 18542 5de3280 18528->18542 18529 5de3274 18529->18524 18533 5de3258 18532->18533 18535 5de3290 DnsQuery_A 18533->18535 18536 5de3280 DnsQuery_A 18533->18536 18534 5de3274 18534->18524 18535->18534 18536->18534 18538 5de32ae 18537->18538 18539 5de32d6 18538->18539 18547 5de3398 18538->18547 18551 5de3389 18538->18551 18539->18529 18544 5de32ae 18542->18544 18543 5de32d6 18543->18529 18544->18543 18545 5de3398 DnsQuery_A 18544->18545 18546 5de3389 DnsQuery_A 18544->18546 18545->18544 18546->18544 18548 5de33c1 18547->18548 18555 5de190c 18548->18555 18552 5de33c1 18551->18552 18553 5de190c DnsQuery_A 18552->18553 18554 5de3402 18553->18554 18554->18538 18556 5de3610 DnsQuery_A 18555->18556 18558 5de374a 18556->18558

                                  Executed Functions

                                  Function 05DE0040 Relevance: .6, Instructions: 601COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.612930958.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_5de0000_aspnet_compiler.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c8b9dd0f893d3244222b0b324725dbe3888c039d09570eee6fd5f5fcda379af8
                                  • Instruction ID: 2fdfbbedc109eddbfc1b864488ed7250cc4637b935a81c26a8396fee9f79ea04
                                  • Opcode Fuzzy Hash: c8b9dd0f893d3244222b0b324725dbe3888c039d09570eee6fd5f5fcda379af8
                                  • Instruction Fuzzy Hash: B4427974A00605DFCB14DF59C488AAEBBF2FF88310B15896AD45AAB655C774FC82CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04C5B6CF Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 04C5B730
                                  • GetCurrentThread.KERNEL32 ref: 04C5B76D
                                  • GetCurrentProcess.KERNEL32 ref: 04C5B7AA
                                  • GetCurrentThreadId.KERNEL32 ref: 04C5B803
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.611629412.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_4c50000_aspnet_compiler.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 8a0f5fce562643e719959751c0dcdacee47d5e3521ce7214659b631f8da70129
                                  • Instruction ID: c4f6b1e83abb509c0f8659c26698be58015be4a5a01256d1165a143a95c9a8c8
                                  • Opcode Fuzzy Hash: 8a0f5fce562643e719959751c0dcdacee47d5e3521ce7214659b631f8da70129
                                  • Instruction Fuzzy Hash: 105143B49006488FDB10CFAAD588BDEBFF1EF88314F208559E419A7260D779A984CF65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04C5B6D0 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 04C5B730
                                  • GetCurrentThread.KERNEL32 ref: 04C5B76D
                                  • GetCurrentProcess.KERNEL32 ref: 04C5B7AA
                                  • GetCurrentThreadId.KERNEL32 ref: 04C5B803
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.611629412.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_4c50000_aspnet_compiler.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 5fe8ccd163df8cd2a8675bb354dd318d17cc78ca9901d2e94e5c5ead21130fe4
                                  • Instruction ID: af5c0c50805df5acd5af6e22a09f94e682d3e3af4d9e1748173aa61699dccccd
                                  • Opcode Fuzzy Hash: 5fe8ccd163df8cd2a8675bb354dd318d17cc78ca9901d2e94e5c5ead21130fe4
                                  • Instruction Fuzzy Hash: D15143B49006488FDB10CFAAD588BDEBFF1EF88314F208559E419A3260D779A984CF65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05DE3558 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 38 5de3558-5de3574 39 5de358a-5de35eb 38->39 40 5de3576-5de3587 38->40 49 5de35c8-5de35f7 39->49 50 5de35f9-5de3683 39->50 58 5de36bc-5de36ef 50->58 59 5de3685-5de368f 50->59 67 5de36f7-5de3748 DnsQuery_A 58->67 59->58 60 5de3691-5de3693 59->60 62 5de36b6-5de36b9 60->62 63 5de3695-5de369f 60->63 62->58 64 5de36a3-5de36b2 63->64 65 5de36a1 63->65 64->64 66 5de36b4 64->66 65->64 66->62 68 5de374a-5de3750 67->68 69 5de3751-5de379e 67->69 68->69 74 5de37ae-5de37b2 69->74 75 5de37a0-5de37a4 69->75 77 5de37b4-5de37b7 74->77 78 5de37c1-5de37c5 74->78 75->74 76 5de37a6 75->76 76->74 77->78 79 5de37d6 78->79 80 5de37c7-5de37d3 78->80 82 5de37d7 79->82 80->79 82->82
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.612930958.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_5de0000_aspnet_compiler.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 940b8d8445398881cc23cb43c7a1555d3167f735bb93ccada5066bb0139d34c6
                                  • Instruction ID: 2b2e2c76e8f4634e253d7e27525bf34368e647b9ce7f2ba7f483cee314b03eee
                                  • Opcode Fuzzy Hash: 940b8d8445398881cc23cb43c7a1555d3167f735bb93ccada5066bb0139d34c6
                                  • Instruction Fuzzy Hash: 838159B1D04649DFDB10EFA9C8806EEBBB1FF89304F20852AD815BB250DB74A945CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04C593E8 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 83 4c593e8-4c593f0 84 4c593fb-4c593fd 83->84 85 4c593f6 call 4c58704 83->85 86 4c59413-4c59417 84->86 87 4c593ff 84->87 85->84 88 4c59419-4c59423 86->88 89 4c5942b-4c5946c 86->89 136 4c59405 call 4c59670 87->136 137 4c59405 call 4c5966b 87->137 88->89 94 4c5946e-4c59476 89->94 95 4c59479-4c59487 89->95 90 4c5940b-4c5940d 90->86 92 4c59548-4c59608 90->92 131 4c59610-4c5963b GetModuleHandleW 92->131 132 4c5960a-4c5960d 92->132 94->95 97 4c59489-4c5948e 95->97 98 4c594ab-4c594ad 95->98 99 4c59490-4c59497 call 4c58710 97->99 100 4c59499 97->100 101 4c594b0-4c594b7 98->101 104 4c5949b-4c594a9 99->104 100->104 105 4c594c4-4c594cb 101->105 106 4c594b9-4c594c1 101->106 104->101 108 4c594cd-4c594d5 105->108 109 4c594d8-4c594e1 call 4c58720 105->109 106->105 108->109 113 4c594e3-4c594eb 109->113 114 4c594ee-4c594f3 109->114 113->114 116 4c594f5-4c594fc 114->116 117 4c59511-4c59515 114->117 116->117 118 4c594fe-4c5950e call 4c58730 call 4c58740 116->118 138 4c59518 call 4c59966 117->138 139 4c59518 call 4c59968 117->139 118->117 121 4c5951b-4c5951e 124 4c59541-4c59547 121->124 125 4c59520-4c5953e 121->125 125->124 133 4c59644-4c59658 131->133 134 4c5963d-4c59643 131->134 132->131 134->133 136->90 137->90 138->121 139->121
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 04C5962E
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.611629412.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_4c50000_aspnet_compiler.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: eba56c79dfe53c1a750c22d6d0c0fab74ae18deaf71f642c306f80c89b04e0f8
                                  • Instruction ID: 041ae1839e10a82bb7df2c9b239ceb2fcf5d6c559f053ece16c4f589a4fcc02f
                                  • Opcode Fuzzy Hash: eba56c79dfe53c1a750c22d6d0c0fab74ae18deaf71f642c306f80c89b04e0f8
                                  • Instruction Fuzzy Hash: CC7125B0A00B058FD764DF2AD45075ABBF2BF88314F008A6DD88AD7A60D734F985CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05DE3604 Relevance: 1.6, APIs: 1, Instructions: 141networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 140 5de3604-5de3683 143 5de36bc-5de36ef 140->143 144 5de3685-5de368f 140->144 152 5de36f7-5de3748 DnsQuery_A 143->152 144->143 145 5de3691-5de3693 144->145 147 5de36b6-5de36b9 145->147 148 5de3695-5de369f 145->148 147->143 149 5de36a3-5de36b2 148->149 150 5de36a1 148->150 149->149 151 5de36b4 149->151 150->149 151->147 153 5de374a-5de3750 152->153 154 5de3751-5de379e 152->154 153->154 159 5de37ae-5de37b2 154->159 160 5de37a0-5de37a4 154->160 162 5de37b4-5de37b7 159->162 163 5de37c1-5de37c5 159->163 160->159 161 5de37a6 160->161 161->159 162->163 164 5de37d6 163->164 165 5de37c7-5de37d3 163->165 167 5de37d7 164->167 165->164 167->167
                                  APIs
                                  • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 05DE3738
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.612930958.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_5de0000_aspnet_compiler.jbxd
                                  Similarity
                                  • API ID: Query_
                                  • String ID:
                                  • API String ID: 428220571-0
                                  • Opcode ID: 57af70a67584806419c7cc1eb3ead1552e2b0d006777ab10494bc59097eb916b
                                  • Instruction ID: 55778d80b4bb8f077a63416cca1d7490df7520a83203429dcae9ea5af26edaaf
                                  • Opcode Fuzzy Hash: 57af70a67584806419c7cc1eb3ead1552e2b0d006777ab10494bc59097eb916b
                                  • Instruction Fuzzy Hash: E45145B1D006599FDB10DFA9C880AEDBBB1FF48304F20852AE815BB350DB74A845CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05DE190C Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 168 5de190c-5de3683 171 5de36bc-5de3748 DnsQuery_A 168->171 172 5de3685-5de368f 168->172 181 5de374a-5de3750 171->181 182 5de3751-5de379e 171->182 172->171 173 5de3691-5de3693 172->173 175 5de36b6-5de36b9 173->175 176 5de3695-5de369f 173->176 175->171 177 5de36a3-5de36b2 176->177 178 5de36a1 176->178 177->177 179 5de36b4 177->179 178->177 179->175 181->182 187 5de37ae-5de37b2 182->187 188 5de37a0-5de37a4 182->188 190 5de37b4-5de37b7 187->190 191 5de37c1-5de37c5 187->191 188->187 189 5de37a6 188->189 189->187 190->191 192 5de37d6 191->192 193 5de37c7-5de37d3 191->193 195 5de37d7 192->195 193->192 195->195
                                  APIs
                                  • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 05DE3738
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.612930958.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_5de0000_aspnet_compiler.jbxd
                                  Similarity
                                  • API ID: Query_
                                  • String ID:
                                  • API String ID: 428220571-0
                                  • Opcode ID: ff5bddd5d0a3599e16a51a9214358498d80e4db809b6aba6f811a4fb45916b6d
                                  • Instruction ID: 9feb9e7234dc3e29e3118f4e946b0aec3c5debd29af4cfb69b73fd5f054119fa
                                  • Opcode Fuzzy Hash: ff5bddd5d0a3599e16a51a9214358498d80e4db809b6aba6f811a4fb45916b6d
                                  • Instruction Fuzzy Hash: 215135B1D006599FDB14DFA9C8846EEBBB1FF48304F20852AE815BB350DB74A845CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04C5FB68 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 196 4c5fb68-4c5fb88 197 4c5fbec-4c5fc5e 196->197 198 4c5fb8a 196->198 199 4c5fc60-4c5fc66 197->199 200 4c5fc69-4c5fc70 197->200 199->200 201 4c5fc72-4c5fc78 200->201 202 4c5fc7b-4c5fcb3 200->202 201->202 203 4c5fcbb-4c5fd1a CreateWindowExW 202->203 204 4c5fd23-4c5fd5b 203->204 205 4c5fd1c-4c5fd22 203->205 209 4c5fd5d-4c5fd60 204->209 210 4c5fd68 204->210 205->204 209->210 211 4c5fd69 210->211 211->211
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04C5FD0A
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.611629412.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_4c50000_aspnet_compiler.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: 09a99b449ac38b3eddff7adb20152cf188bdd7514be9d1415c305cb0f0f8e7b7
                                  • Instruction ID: 27acae77fcf3f5e54ea75ed7fa7969a5e82143488f2b97e6cb8fbdbad5e4ef56
                                  • Opcode Fuzzy Hash: 09a99b449ac38b3eddff7adb20152cf188bdd7514be9d1415c305cb0f0f8e7b7
                                  • Instruction Fuzzy Hash: E151E3B1D002099FDB15CF99C880ADDBFB2FF48310F24812EE808AB211D774A985CF94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04C5FBF8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 212 4c5fbf8-4c5fc5e 213 4c5fc60-4c5fc66 212->213 214 4c5fc69-4c5fc70 212->214 213->214 215 4c5fc72-4c5fc78 214->215 216 4c5fc7b-4c5fd1a CreateWindowExW 214->216 215->216 218 4c5fd23-4c5fd5b 216->218 219 4c5fd1c-4c5fd22 216->219 223 4c5fd5d-4c5fd60 218->223 224 4c5fd68 218->224 219->218 223->224 225 4c5fd69 224->225 225->225
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04C5FD0A
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.611629412.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_4c50000_aspnet_compiler.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: 4bda229a8757b9dab660769ea8b0211a6d8e2b16c56b053301f221812a89eed9
                                  • Instruction ID: 6089b094d6c9a51c8c5296bfdc4a84c58600cb822af21d2632dc84884054d8c8
                                  • Opcode Fuzzy Hash: 4bda229a8757b9dab660769ea8b0211a6d8e2b16c56b053301f221812a89eed9
                                  • Instruction Fuzzy Hash: EF41A2B1D003099FDB15CF99C884ADEBBB6FF48310F24812EE819AB214D774A985CF94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04C5BCFF Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 226 4c5bcff-4c5bd94 DuplicateHandle 227 4c5bd96-4c5bd9c 226->227 228 4c5bd9d-4c5bdba 226->228 227->228
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04C5BD87
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.611629412.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_4c50000_aspnet_compiler.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 68b0541fc562ff5a2ee032f0383159857288496a9965bb9d8af08275661a42aa
                                  • Instruction ID: 8267e41c9e60b9c640b97d37fb6fff53c3e1206ee9cd1689eb3d63a5a6b93ec1
                                  • Opcode Fuzzy Hash: 68b0541fc562ff5a2ee032f0383159857288496a9965bb9d8af08275661a42aa
                                  • Instruction Fuzzy Hash: F621C4B5D002199FDB10CF9AD584ADEBFF5EB58320F14841AE918A7310D378A944CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04C5BD00 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 231 4c5bd00-4c5bd94 DuplicateHandle 232 4c5bd96-4c5bd9c 231->232 233 4c5bd9d-4c5bdba 231->233 232->233
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04C5BD87
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.611629412.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_4c50000_aspnet_compiler.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 4625af8be289fbc43a433f527f44a766e489efa9e3cddbea1374901677eb434c
                                  • Instruction ID: 293969546110c79ec422dab408848d4a6490a766fb7942f1a9832e4b2096369f
                                  • Opcode Fuzzy Hash: 4625af8be289fbc43a433f527f44a766e489efa9e3cddbea1374901677eb434c
                                  • Instruction Fuzzy Hash: 9121C4B5D002199FDB10CF9AD984ADEBFF9EB58320F14841AE914A3310D378A944CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04C58768 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 236 4c58768-4c59890 238 4c59892-4c59895 236->238 239 4c59898-4c598c7 LoadLibraryExW 236->239 238->239 240 4c598d0-4c598ed 239->240 241 4c598c9-4c598cf 239->241 241->240
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04C596A9,00000800,00000000,00000000), ref: 04C598BA
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.611629412.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_4c50000_aspnet_compiler.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 5016e49cf194988f4cbe0c9dc29ed589f105ad95621c5eac59a4c01de098a09e
                                  • Instruction ID: 9a54a943756180a056ca25824f229fc904a3507fd6d8391bc5d8bf85e22aaaee
                                  • Opcode Fuzzy Hash: 5016e49cf194988f4cbe0c9dc29ed589f105ad95621c5eac59a4c01de098a09e
                                  • Instruction Fuzzy Hash: 411103B6D002099FDB10CF9AC444ADEFBF9EB58320F14846ED819B7610C379A945CFA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04C5984F Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 244 4c5984f-4c59890 245 4c59892-4c59895 244->245 246 4c59898-4c598c7 LoadLibraryExW 244->246 245->246 247 4c598d0-4c598ed 246->247 248 4c598c9-4c598cf 246->248 248->247
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04C596A9,00000800,00000000,00000000), ref: 04C598BA
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.611629412.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_4c50000_aspnet_compiler.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 0bbbf07d99be7619ae231075575745df2eeda63ea1370a80273bf4bea07db70c
                                  • Instruction ID: 5f4c9eb87e9e57457156e9a2a10ebbc50cbb221285f63b48cf203d4098cfb17e
                                  • Opcode Fuzzy Hash: 0bbbf07d99be7619ae231075575745df2eeda63ea1370a80273bf4bea07db70c
                                  • Instruction Fuzzy Hash: 6F11F6B6D002098FDB10CF9AD444ADEFBF5EB58310F14856ED819A7610C379A545CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04C595C8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 251 4c595c8-4c59608 252 4c59610-4c5963b GetModuleHandleW 251->252 253 4c5960a-4c5960d 251->253 254 4c59644-4c59658 252->254 255 4c5963d-4c59643 252->255 253->252 255->254
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 04C5962E
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.611629412.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_4c50000_aspnet_compiler.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: c8f2d7d695dd1cc5730ba62f18741e6a214559fa700681ab96fd937ea5aa083d
                                  • Instruction ID: cc7f6bf42b7104f1737c82a30ce55a3ba25762b31089b6ab251a653713640aaf
                                  • Opcode Fuzzy Hash: c8f2d7d695dd1cc5730ba62f18741e6a214559fa700681ab96fd937ea5aa083d
                                  • Instruction Fuzzy Hash: C31113B6C006098FDB10CF9AC444ADEFBF5EF88324F10855AD819A7210D774A545CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04C5FE3B Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 257 4c5fe3b-4c5feaa SetWindowLongW 258 4c5feb3-4c5fec7 257->258 259 4c5feac-4c5feb2 257->259 259->258
                                  APIs
                                  • SetWindowLongW.USER32(?,?,?), ref: 04C5FE9D
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.611629412.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_4c50000_aspnet_compiler.jbxd
                                  Similarity
                                  • API ID: LongWindow
                                  • String ID:
                                  • API String ID: 1378638983-0
                                  • Opcode ID: d2670252b1d24a2401cb726f567b23d6e519063971b980cad58f68fe4c4b4e89
                                  • Instruction ID: 2e56a7c0cd005ea4a088cde8657e6bf806c24644659d48fc80a5fbc337e9f6d6
                                  • Opcode Fuzzy Hash: d2670252b1d24a2401cb726f567b23d6e519063971b980cad58f68fe4c4b4e89
                                  • Instruction Fuzzy Hash: 341118B5D002098FDB10CF99D584BDEBBF8EB48320F10851AD815A7341C374A945CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04C5FE40 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 261 4c5fe40-4c5feaa SetWindowLongW 262 4c5feb3-4c5fec7 261->262 263 4c5feac-4c5feb2 261->263 263->262
                                  APIs
                                  • SetWindowLongW.USER32(?,?,?), ref: 04C5FE9D
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.611629412.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_4c50000_aspnet_compiler.jbxd
                                  Similarity
                                  • API ID: LongWindow
                                  • String ID:
                                  • API String ID: 1378638983-0
                                  • Opcode ID: 0c6c3c307fcfaf433851d7851d6336460496d47af0562590db1558d6133d8b34
                                  • Instruction ID: ba233976710d8bfebc7facb79d56c1b80765e6038ed34313d7b088bb11206095
                                  • Opcode Fuzzy Hash: 0c6c3c307fcfaf433851d7851d6336460496d47af0562590db1558d6133d8b34
                                  • Instruction Fuzzy Hash: 9F1115B5C002098FDB10CF9AD584BDFBBF8EB48320F10851AD815A3340C374A944CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 04C5E480 Relevance: .3, Instructions: 315COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.611629412.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_4c50000_aspnet_compiler.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8f0d777dd9d281fe7ec20e6df83dbb83e51e1fe0b142640e5f604f2ae5d5f4d7
                                  • Instruction ID: 1fd1dd478a707185ec623c10434ed9420e4f5ca5f8b3cafc722a2cbcf420ce3b
                                  • Opcode Fuzzy Hash: 8f0d777dd9d281fe7ec20e6df83dbb83e51e1fe0b142640e5f604f2ae5d5f4d7
                                  • Instruction Fuzzy Hash: 7A12EBF1C91B468BD390CF65E5981893BA1B74032AFD14A08D3A19BAD4E7B4117EEF4C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04C5BBD4 Relevance: .3, Instructions: 265COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.611629412.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_4c50000_aspnet_compiler.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 370151012eaefbbd90e56a81c30afb775a46c8c72e34c747325ec9cd97cbbd37
                                  • Instruction ID: 3299117240c791d6f2fdc9aa067bf03072e1a5c5fe70f20942b29ec5831ad764
                                  • Opcode Fuzzy Hash: 370151012eaefbbd90e56a81c30afb775a46c8c72e34c747325ec9cd97cbbd37
                                  • Instruction Fuzzy Hash: D9A18D36E0030ACFCF15DFA5C8445DEBBB3FF85304B15856AE906AB220EB71A995DB44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04C5E47B Relevance: .2, Instructions: 219COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.611629412.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_4c50000_aspnet_compiler.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9edabe668356fa4fbdbac8e300da54611087b5b5337883e08d24810851536b2f
                                  • Instruction ID: 673008394bc9f4fe21b8b5447e1a1d1d4486a41fdba2468900c22e23d21d463c
                                  • Opcode Fuzzy Hash: 9edabe668356fa4fbdbac8e300da54611087b5b5337883e08d24810851536b2f
                                  • Instruction Fuzzy Hash: C9C12BB1C917468BD390DF65E9881893BB1BB44325FD14A08D3A1AB6D0E7B4117EEF48
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Executed Functions

                                  Function 03020948 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.381119272.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_3020000_dhcpmon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $,q
                                  • API String ID: 0-532241818
                                  • Opcode ID: 95aa5c7ac229895804d92089ef059bfb48150c897d0ac18b801dadd272ad4d4d
                                  • Instruction ID: fd9c4038eb945aa73fb1ce3ab190b9b7f0461dae06ffbf56fb8b29a205ab4866
                                  • Opcode Fuzzy Hash: 95aa5c7ac229895804d92089ef059bfb48150c897d0ac18b801dadd272ad4d4d
                                  • Instruction Fuzzy Hash: C3F0E271A02A158FC716EB7DE492A68BBF1EF86200B1808A9D406DB361DB3D5C16CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03020958 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.381119272.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_3020000_dhcpmon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $,q
                                  • API String ID: 0-532241818
                                  • Opcode ID: 6edff5ebf809879c13b9ef1700bc2ec8454c99cd5d2d9d5da593a4e3921018a1
                                  • Instruction ID: ef19147e8af0cb5eb1015407945d10693dba8f65fada374c5887d93e836e4edf
                                  • Opcode Fuzzy Hash: 6edff5ebf809879c13b9ef1700bc2ec8454c99cd5d2d9d5da593a4e3921018a1
                                  • Instruction Fuzzy Hash: 07E0D8716009098FC644EF6CE552A6977E9EF85600F440478D506D7360DF3C6C51C7E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03020448 Relevance: .2, Instructions: 236COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.381119272.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_3020000_dhcpmon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1fe363a235976ed7365c619887dd9e01d91e4f0c89c08224dbcea9cba741289c
                                  • Instruction ID: 91b4ea89d69573d45e2f79706dcbe2d75cca90568aa18b4535bbcff0f4190729
                                  • Opcode Fuzzy Hash: 1fe363a235976ed7365c619887dd9e01d91e4f0c89c08224dbcea9cba741289c
                                  • Instruction Fuzzy Hash: 3F81BF31A023199FCB15EFB8D85466EBBF2EFC5300F1484B9D805AB251DB39AD46CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 030204A8 Relevance: .1, Instructions: 119COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.381119272.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_3020000_dhcpmon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 27fe200a41387223618a5c5e74da65f434ae066e997a5c5a0994fdd6fc3e9e97
                                  • Instruction ID: e597068bf215f9b3f58f466f5b5e736ae71b41628b8489e5f591fd0571561aed
                                  • Opcode Fuzzy Hash: 27fe200a41387223618a5c5e74da65f434ae066e997a5c5a0994fdd6fc3e9e97
                                  • Instruction Fuzzy Hash: 0E41A231E022269FCB15EBB4D4546ADB7E6EFC9300F148479D805E7350EF78AD428B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0302081B Relevance: .1, Instructions: 86COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.381119272.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_3020000_dhcpmon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9c19ba791ec3082a8cbbb22cf04ec2dcb989b0b5f9fb47f5394bb8e4fa92b755
                                  • Instruction ID: 7576dcd8dc7620cf2ae887ccba08d71ca55560c92fcdc357f89ea8ed67149ec9
                                  • Opcode Fuzzy Hash: 9c19ba791ec3082a8cbbb22cf04ec2dcb989b0b5f9fb47f5394bb8e4fa92b755
                                  • Instruction Fuzzy Hash: 3E3137347016108FC759EB78C49892D7BE2AF9A72532508BDE406CF3B1DA3AEC41CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0302052D Relevance: .1, Instructions: 73COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.381119272.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_3020000_dhcpmon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eb3aa0f26edb24c5e41cb30ec20a4e3288693980cc871e0ec4b016400335977c
                                  • Instruction ID: 34767bb85dc9656560c5fd6e3262f487910e754f3b7ed55f7fb829ae66181a07
                                  • Opcode Fuzzy Hash: eb3aa0f26edb24c5e41cb30ec20a4e3288693980cc871e0ec4b016400335977c
                                  • Instruction Fuzzy Hash: 40214C35B022268FCB14EBB4D55876DB7E2EF88205F244478D805AB351DF7DED428B92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03020913 Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.381119272.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_3020000_dhcpmon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 837a485c10ed2dada0432194d8031cd56e12fed889d6a5487579bc68c245335a
                                  • Instruction ID: 32b249865c112ff0f89fd6b1b637e086296d111509c4bbd70038cdc55ab91261
                                  • Opcode Fuzzy Hash: 837a485c10ed2dada0432194d8031cd56e12fed889d6a5487579bc68c245335a
                                  • Instruction Fuzzy Hash: 8AE08C355053449FCB01EF38E4A49187FB0EF4B21531401E4D845CB322C339AC21CB01
                                  Uniqueness

                                  Uniqueness Score: -1.00%