Loading ...

Play interactive tourEdit tour

Analysis Report REF_ST73020203576_PDF.exe

Overview

General Information

Sample Name:REF_ST73020203576_PDF.exe
Analysis ID:255259
MD5:50620a618761d63b20428dfc609bd570
SHA1:584fb65f5715bd901a5931e320cd6706927ab110
SHA256:7d1ce7961e394f55fb7162e18e6cf587faa463d29ba5976eaad83b409f060621

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • REF_ST73020203576_PDF.exe (PID: 4408 cmdline: 'C:\Users\user\Desktop\REF_ST73020203576_PDF.exe' MD5: 50620A618761D63B20428DFC609BD570)
    • REF_ST73020203576_PDF.exe (PID: 4356 cmdline: {path} MD5: 50620A618761D63B20428DFC609BD570)
      • schtasks.exe (PID: 6052 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpFD28.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5448 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp1CD.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 488 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 50620A618761D63B20428DFC609BD570)
    • dhcpmon.exe (PID: 580 cmdline: {path} MD5: 50620A618761D63B20428DFC609BD570)
  • dhcpmon.exe (PID: 5992 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 50620A618761D63B20428DFC609BD570)
    • dhcpmon.exe (PID: 2472 cmdline: {path} MD5: 50620A618761D63B20428DFC609BD570)
    • dhcpmon.exe (PID: 1884 cmdline: {path} MD5: 50620A618761D63B20428DFC609BD570)
    • dhcpmon.exe (PID: 5676 cmdline: {path} MD5: 50620A618761D63B20428DFC609BD570)
    • dhcpmon.exe (PID: 5748 cmdline: {path} MD5: 50620A618761D63B20428DFC609BD570)
    • dhcpmon.exe (PID: 5756 cmdline: {path} MD5: 50620A618761D63B20428DFC609BD570)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["194.5.97.91:7583"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
REF_ST73020203576_PDF.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x97d91:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x97d91:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.264759998.0000000000832000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x97b91:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000007.00000002.266670966.0000000000632000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x97b91:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000001.00000002.493658704.00000000005F2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x97b91:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
0000000A.00000002.285538918.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000A.00000002.285538918.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    Click to see the 91 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.0.REF_ST73020203576_PDF.exe.1a0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x97d91:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    19.2.dhcpmon.exe.360000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x97d91:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    21.0.dhcpmon.exe.300000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x97d91:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    6.0.REF_ST73020203576_PDF.exe.830000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x97d91:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    12.0.dhcpmon.exe.7f0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x97d91:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    Click to see the 39 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\REF_ST73020203576_PDF.exe, ProcessId: 4356, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
    Sigma detected: Scheduled temp file as task from temp locationShow sources
    Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpFD28.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpFD28.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\REF_ST73020203576_PDF.exe, ParentProcessId: 4356, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpFD28.tmp', ProcessId: 6052

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: REF_ST73020203576_PDF.exe.4356.1.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["194.5.97.91:7583"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 0000000A.00000002.285538918.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.500902156.0000000003B11000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.493451396.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.287624791.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.500171125.0000000003A09000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.242315396.00000000035F1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.496127090.00000000029C1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000002.279076242.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.288028722.0000000003DF9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.290455230.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.278666450.0000000003BD1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.288529442.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.501580851.00000000054B0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.291016554.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 580, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: REF_ST73020203576_PDF.exe PID: 4640, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: REF_ST73020203576_PDF.exe PID: 4356, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 488, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: REF_ST73020203576_PDF.exe PID: 4408, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: REF_ST73020203576_PDF.exe PID: 5476, type: MEMORY
    Source: Yara matchFile source: 1.2.REF_ST73020203576_PDF.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.REF_ST73020203576_PDF.exe.54b0000.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.REF_ST73020203576_PDF.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.REF_ST73020203576_PDF.exe.54b0000.5.unpack, type: UNPACKEDPE
    Machine Learning detection for dropped fileShow sources
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
    Machine Learning detection for sampleShow sources
    Source: REF_ST73020203576_PDF.exeJoe Sandbox ML: detected
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 4x nop then push dword ptr [ebp-20h]6_2_075F26E8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh6_2_075F26E8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h6_2_075F1C00
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h6_2_075F5BD8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 4x nop then push dword ptr [ebp-24h]6_2_075F2A08
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh6_2_075F2A08
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 4x nop then push dword ptr [ebp-20h]6_2_075F26DE
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh6_2_075F26DE
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h6_2_075F2205
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h6_2_075F5B91
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h6_2_075F5A4E
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 4x nop then xor edx, edx6_2_075F2940
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 4x nop then xor edx, edx6_2_075F293E
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 4x nop then push dword ptr [ebp-24h]6_2_075F29FC
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh6_2_075F29FC
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then push dword ptr [ebp-20h]7_2_073F26E8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh7_2_073F26E8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h7_2_073F1BF4
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h7_2_073F5BD8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then push dword ptr [ebp-24h]7_2_073F2A08
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh7_2_073F2A08
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then push dword ptr [ebp-20h]7_2_073F26DD
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh7_2_073F26DD
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h7_2_073F2205
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h7_2_073F5CF0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h7_2_073F5B91
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h7_2_073F5A4E
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then xor edx, edx7_2_073F293F
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then xor edx, edx7_2_073F2940
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then push dword ptr [ebp-24h]7_2_073F29FC
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh7_2_073F29FC
    Source: global trafficTCP traffic: 192.168.2.4:49697 -> 194.5.97.91:7583
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: unknownTCP traffic detected without corresponding DNS query: 194.5.97.91
    Source: REF_ST73020203576_PDF.exe, 00000001.00000002.496127090.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: REF_ST73020203576_PDF.exe, 00000000.00000002.237522218.00000000008D8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: REF_ST73020203576_PDF.exe, 00000001.00000002.500171125.0000000003A09000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 0000000A.00000002.285538918.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.500902156.0000000003B11000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.493451396.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.287624791.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.500171125.0000000003A09000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.242315396.00000000035F1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.496127090.00000000029C1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000002.279076242.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000A.00000002.288028722.0000000003DF9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.290455230.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.278666450.0000000003BD1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.288529442.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.501580851.00000000054B0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.291016554.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 580, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: REF_ST73020203576_PDF.exe PID: 4640, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: REF_ST73020203576_PDF.exe PID: 4356, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 488, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: REF_ST73020203576_PDF.exe PID: 4408, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: REF_ST73020203576_PDF.exe PID: 5476, type: MEMORY
    Source: Yara matchFile source: 1.2.REF_ST73020203576_PDF.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.REF_ST73020203576_PDF.exe.54b0000.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 10.2.REF_ST73020203576_PDF.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.REF_ST73020203576_PDF.exe.54b0000.5.unpack, type: UNPACKEDPE

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 0000000A.00000002.285538918.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000A.00000002.285538918.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000C.00000002.500902156.0000000003B11000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000C.00000002.500902156.0000000003B11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000002.493451396.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000002.493451396.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000002.501335657.0000000005060000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000A.00000002.287624791.0000000002DF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000002.500171125.0000000003A09000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.242315396.00000000035F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.242315396.00000000035F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000007.00000002.279076242.0000000003AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000007.00000002.279076242.0000000003AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000A.00000002.288028722.0000000003DF9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000B.00000002.290455230.00000000031A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000006.00000002.278666450.0000000003BD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000006.00000002.278666450.0000000003BD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000B.00000002.288529442.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000B.00000002.288529442.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000002.501580851.00000000054B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000B.00000002.291016554.00000000041A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: dhcpmon.exe PID: 580, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: dhcpmon.exe PID: 580, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: REF_ST73020203576_PDF.exe PID: 4640, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: REF_ST73020203576_PDF.exe PID: 4640, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: REF_ST73020203576_PDF.exe PID: 4356, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: REF_ST73020203576_PDF.exe PID: 4356, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: dhcpmon.exe PID: 488, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: dhcpmon.exe PID: 488, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: REF_ST73020203576_PDF.exe PID: 4408, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: REF_ST73020203576_PDF.exe PID: 4408, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: REF_ST73020203576_PDF.exe PID: 5476, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: REF_ST73020203576_PDF.exe PID: 5476, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.REF_ST73020203576_PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.REF_ST73020203576_PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.REF_ST73020203576_PDF.exe.54b0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.REF_ST73020203576_PDF.exe.5060000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 10.2.REF_ST73020203576_PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 10.2.REF_ST73020203576_PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.REF_ST73020203576_PDF.exe.54b0000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Initial sample is a PE file and has a suspicious nameShow sources
    Source: initial sampleStatic PE information: Filename: REF_ST73020203576_PDF.exe
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_024102FC NtQueryInformationProcess,0_2_024102FC
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_024102E3 NtQueryInformationProcess,0_2_024102E3
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_02416AA9 NtQueryInformationProcess,0_2_02416AA9
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A02FC NtQueryInformationProcess,6_2_011A02FC
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A02E2 NtQueryInformationProcess,6_2_011A02E2
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A6AA9 NtQueryInformationProcess,6_2_011A6AA9
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F902FC NtQueryInformationProcess,7_2_00F902FC
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F90308 NtQueryInformationProcess,7_2_00F90308
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F96AA9 NtQueryInformationProcess,7_2_00F96AA9
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_023B09B80_2_023B09B8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_023B0DF00_2_023B0DF0
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_023B12880_2_023B1288
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_023B23D80_2_023B23D8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_023B09A90_2_023B09A9
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_023B0DE00_2_023B0DE0
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_024123400_2_02412340
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_024110700_2_02411070
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_024131D00_2_024131D0
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_024104800_2_02410480
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_0241A5A80_2_0241A5A8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_02416BC80_2_02416BC8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_024158D00_2_024158D0
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_024118D80_2_024118D8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_024189080_2_02418908
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_024162100_2_02416210
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_024152F80_2_024152F8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_024153080_2_02415308
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_024123310_2_02412331
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_024170E80_2_024170E8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_024170F00_2_024170F0
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_024161D80_2_024161D8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_0241319A0_2_0241319A
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_0241960E0_2_0241960E
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_024156F80_2_024156F8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_024157080_2_02415708
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_024177E70_2_024177E7
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_024177F80_2_024177F8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_024104780_2_02410478
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_024154810_2_02415481
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_024154900_2_02415490
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_02415BA00_2_02415BA0
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_02415BB00_2_02415BB0
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_02416BB80_2_02416BB8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_024158C00_2_024158C0
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_024118C80_2_024118C8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_024188DF0_2_024188DF
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_024188F80_2_024188F8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_0241DF000_2_0241DF00
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_02418F900_2_02418F90
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_02418FA00_2_02418FA0
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_02410FB00_2_02410FB0
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_02411D410_2_02411D41
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_02418DC00_2_02418DC0
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_02411D980_2_02411D98
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 0_2_02418DB10_2_02418DB1
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 1_2_028DE4801_2_028DE480
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 1_2_028DE4711_2_028DE471
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 1_2_028DBBD41_2_028DBBD4
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 1_2_04F1F5F81_2_04F1F5F8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 1_2_04F197881_2_04F19788
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 1_2_04F1A5F81_2_04F1A5F8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 1_2_04F1A5D01_2_04F1A5D0
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 1_2_04F1A5801_2_04F1A580
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 1_2_063800401_2_06380040
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_04C109B86_2_04C109B8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_04C10E606_2_04C10E60
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_04C109A86_2_04C109A8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_04C112896_2_04C11289
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_04C10E516_2_04C10E51
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_04C123C96_2_04C123C9
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A31D06_2_011A31D0
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A10706_2_011A1070
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A23316_2_011A2331
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A04786_2_011A0478
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A88DF6_2_011A88DF
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A18C86_2_011A18C8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A58C06_2_011A58C0
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A6BC86_2_011A6BC8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A31796_2_011A3179
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A61D86_2_011A61D8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A10326_2_011A1032
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A30EE6_2_011A30EE
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A53086_2_011A5308
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A62106_2_011A6210
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A52F86_2_011A52F8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A54906_2_011A5490
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A54816_2_011A5481
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A57086_2_011A5708
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A77286_2_011A7728
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A77266_2_011A7726
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A56F86_2_011A56F8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011AA9906_2_011AA990
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A88E36_2_011A88E3
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A6BB86_2_011A6BB8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A5BB06_2_011A5BB0
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A5BA06_2_011A5BA0
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A1D416_2_011A1D41
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A1D986_2_011A1D98
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A8DB16_2_011A8DB1
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_011A8F906_2_011A8F90
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075FB3926_2_075FB392
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075F72A06_2_075F72A0
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075F41006_2_075F4100
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075F5F296_2_075F5F29
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075F8C386_2_075F8C38
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075F7CC96_2_075F7CC9
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075F6B106_2_075F6B10
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075F49B96_2_075F49B9
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075F77486_2_075F7748
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075FA6D86_2_075FA6D8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075FA6E86_2_075FA6E8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075FF5706_2_075FF570
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075FA4F06_2_075FA4F0
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075F31C06_2_075F31C0
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075FB19A6_2_075FB19A
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075F31B06_2_075F31B0
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075FB1A86_2_075FB1A8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075FAF486_2_075FAF48
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075FBE2D6_2_075FBE2D
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075FEEA86_2_075FEEA8
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075FAD186_2_075FAD18
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075FAD286_2_075FAD28
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075F8BE66_2_075F8BE6
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075F8BBA6_2_075F8BBA
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075F6A686_2_075F6A68
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075F9AD16_2_075F9AD1
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075F6AE16_2_075F6AE1
    Source: C:\Users\user\Desktop\REF_ST73020203576_PDF.exeCode function: 6_2_075F9AE06_2_075F9AE0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_02890BA07_2_02890BA0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_028907687_2_02890768
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_02891CA87_2_02891CA8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_02890B907_2_02890B90
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_028907587_2_02890758
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_028911587_2_02891158
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_028921787_2_02892178
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F910707_2_00F91070
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F931D07_2_00F931D0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F923317_2_00F92331
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F904707_2_00F90470
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F918C87_2_00F918C8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F958C07_2_00F958C0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F96BC87_2_00F96BC8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F970F07_2_00F970F0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F930E87_2_00F930E8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F970E17_2_00F970E1
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F961D87_2_00F961D8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F952F87_2_00F952F8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F962107_2_00F96210
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F953087_2_00F95308
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F954907_2_00F95490
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F954817_2_00F95481
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F956F87_2_00F956F8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F957087_2_00F95708
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F979D07_2_00F979D0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F979BF7_2_00F979BF
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F95BB07_2_00F95BB0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F96BB77_2_00F96BB7
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F95BA07_2_00F95BA0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F98DB17_2_00F98DB1
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F90FB07_2_00F90FB0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_00F98F907_2_00F98F90
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073FB3917_2_073FB391
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073F72A07_2_073F72A0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073F41007_2_073F4100
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073F5F297_2_073F5F29
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073FFD687_2_073FFD68
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073F8C387_2_073F8C38
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073F7CC87_2_073F7CC8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073F6B107_2_073F6B10
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073F49B97_2_073F49B9
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073F77487_2_073F7748
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073FA6E87_2_073FA6E8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073FA6D87_2_073FA6D8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073FF5707_2_073FF570
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073FA4F07_2_073FA4F0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073F31B07_2_073F31B0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073FB1A87_2_073FB1A8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073FB19A7_2_073FB19A
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073F31C07_2_073F31C0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073FAF487_2_073FAF48
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073FBE2D7_2_073FBE2D
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073FEEA87_2_073FEEA8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073FAD287_2_073FAD28
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073FAD187_2_073FAD18
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073F8BE67_2_073F8BE6
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073F8BC27_2_073F8BC2
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073F6A687_2_073F6A68
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073F6AE17_2_073F6AE1
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073F9AE07_2_073F9AE0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_073F9AD17_2_073F9AD1
    Source: REF_ST73020203576_PDF.exeBinary or memory string: OriginalFilename vs REF_ST73020203576_PDF.exe
    Source: REF_ST73020203576_PDF.exe, 00000000.00000002.237945935.00000000025F1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparta.dll. vs REF_ST73020203576_PDF.exe
    Source: REF_ST73020203576_PDF.exe, 00000000.00000002.246165362.00000000078C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoreal.exe4 vs REF_ST73020203576_PDF.exe
    Source: REF_ST73020203576_PDF.exe, 00000000.00000000.226787224.00000000001A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWVuco.exe. vs REF_ST73020203576_PDF.exe
    Source: REF_ST73020203576_PDF.exe, 00000000.00000002.237522218.00000000008D8000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs REF_ST73020203576_PDF.exe
    Source: REF_ST73020203576_PDF.exeBinary or memory string: OriginalFilename vs REF_ST73020203576_PDF.exe
    Source: REF_ST73020203576_PDF.exe, 00000001.00000002.501726612.0000000005EE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs REF_ST73020203576_PDF.exe
    Source: REF_ST73020203576_PDF.exe, 00000001.00000002.495127277.0000000000DDA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs REF_ST73020203576_PDF.exe
    Source: REF_ST73020203576_PDF.exe, 00000001.00000002.493658704.00000000005F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWVuco.exe. vs REF_ST73020203576_PDF.exe
    Source: REF_ST73020203576_PDF.exe, 00000001.00000002.502193068.0000000006850000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs REF_ST73020203576_PDF.exe
    Source: REF_ST73020203576_PDF.exe, 00000001.00000002.500171125.0000000003A09000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs REF_ST73020203576_PDF.exe
    Source: REF_ST73020203576_PDF.exe, 00000001.00000002.500171125.0000000003A09000.00000004.00000001.sdmp<