Loading ...

Play interactive tourEdit tour

Analysis Report SUR BL 00957WE .exe

Overview

General Information

Sample Name:SUR BL 00957WE .exe
Analysis ID:287421
MD5:549e7f845117790309446949d7eaae7c
SHA1:4623be14eeb5a3d625f3bd8d76644133bba21925
SHA256:1778a255b790b18f042384c6ebb3176d3f3f0fd172d313b07242ac42b000132e
Tags:exeNanoCore

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SUR BL 00957WE .exe (PID: 6832 cmdline: 'C:\Users\user\Desktop\SUR BL 00957WE .exe' MD5: 549E7F845117790309446949D7EAAE7C)
    • schtasks.exe (PID: 68 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XRgItgAeBZGif' /XML 'C:\Users\user\AppData\Local\Temp\tmp86E7.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • SUR BL 00957WE .exe (PID: 4100 cmdline: C:\Users\user\Desktop\SUR BL 00957WE .exe MD5: 549E7F845117790309446949D7EAAE7C)
      • schtasks.exe (PID: 6160 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp92CE.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5920 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp957F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 2452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • SUR BL 00957WE .exe (PID: 6640 cmdline: 'C:\Users\user\Desktop\SUR BL 00957WE .exe' 0 MD5: 549E7F845117790309446949D7EAAE7C)
    • schtasks.exe (PID: 6740 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XRgItgAeBZGif' /XML 'C:\Users\user\AppData\Local\Temp\tmpAE36.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • SUR BL 00957WE .exe (PID: 7116 cmdline: C:\Users\user\Desktop\SUR BL 00957WE .exe MD5: 549E7F845117790309446949D7EAAE7C)
  • dhcpmon.exe (PID: 6668 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 549E7F845117790309446949D7EAAE7C)
    • schtasks.exe (PID: 6628 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XRgItgAeBZGif' /XML 'C:\Users\user\AppData\Local\Temp\tmpB20E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 6556 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 549E7F845117790309446949D7EAAE7C)
  • dhcpmon.exe (PID: 7092 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 549E7F845117790309446949D7EAAE7C)
    • schtasks.exe (PID: 6320 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XRgItgAeBZGif' /XML 'C:\Users\user\AppData\Local\Temp\tmpD47B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 6884 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 549E7F845117790309446949D7EAAE7C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.624680030.0000000002C7E000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
  • 0x1c966:$a: NanoCore
  • 0x1c98b:$a: NanoCore
  • 0x1c9e4:$a: NanoCore
  • 0x2cb97:$a: NanoCore
  • 0x2cbbd:$a: NanoCore
  • 0x2cc19:$a: NanoCore
  • 0x39a7f:$a: NanoCore
  • 0x39ad8:$a: NanoCore
  • 0x39b0b:$a: NanoCore
  • 0x39d37:$a: NanoCore
  • 0x39db3:$a: NanoCore
  • 0x3a3cc:$a: NanoCore
  • 0x3a515:$a: NanoCore
  • 0x3a9e9:$a: NanoCore
  • 0x3acd0:$a: NanoCore
  • 0x3ace7:$a: NanoCore
  • 0x43b97:$a: NanoCore
  • 0x43c13:$a: NanoCore
  • 0x464f6:$a: NanoCore
  • 0x4ac74:$a: NanoCore
  • 0x4acbe:$a: NanoCore
00000009.00000002.395109851.0000000002CD1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    0000000E.00000002.411966915.0000000003B59000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0000000E.00000002.411966915.0000000003B59000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x435b5:$a: NanoCore
      • 0x4360e:$a: NanoCore
      • 0x4364b:$a: NanoCore
      • 0x436c4:$a: NanoCore
      • 0x56d6f:$a: NanoCore
      • 0x56d84:$a: NanoCore
      • 0x56db9:$a: NanoCore
      • 0x6fd53:$a: NanoCore
      • 0x6fd68:$a: NanoCore
      • 0x6fd9d:$a: NanoCore
      • 0x43617:$b: ClientPlugin
      • 0x43654:$b: ClientPlugin
      • 0x43f52:$b: ClientPlugin
      • 0x43f5f:$b: ClientPlugin
      • 0x56b2b:$b: ClientPlugin
      • 0x56b46:$b: ClientPlugin
      • 0x56b76:$b: ClientPlugin
      • 0x56d8d:$b: ClientPlugin
      • 0x56dc2:$b: ClientPlugin
      • 0x6fb0f:$b: ClientPlugin
      • 0x6fb2a:$b: ClientPlugin
      0000000E.00000002.411437458.0000000002B51000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 58 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.2.SUR BL 00957WE .exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        3.2.SUR BL 00957WE .exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xff05:$x1: NanoCore Client.exe
        • 0x1018d:$x2: NanoCore.ClientPluginHost
        • 0x117c6:$s1: PluginCommand
        • 0x117ba:$s2: FileCommand
        • 0x1266b:$s3: PipeExists
        • 0x18422:$s4: PipeCreated
        • 0x101b7:$s5: IClientLoggingHost
        3.2.SUR BL 00957WE .exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          3.2.SUR BL 00957WE .exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xfef5:$a: NanoCore
          • 0xff05:$a: NanoCore
          • 0x10139:$a: NanoCore
          • 0x1014d:$a: NanoCore
          • 0x1018d:$a: NanoCore
          • 0xff54:$b: ClientPlugin
          • 0x10156:$b: ClientPlugin
          • 0x10196:$b: ClientPlugin
          • 0x1007b:$c: ProjectData
          • 0x10a82:$d: DESCrypto
          • 0x1844e:$e: KeepAlive
          • 0x1643c:$g: LogClientMessage
          • 0x12637:$i: get_Connected
          • 0x10db8:$j: #=q
          • 0x10de8:$j: #=q
          • 0x10e04:$j: #=q
          • 0x10e34:$j: #=q
          • 0x10e50:$j: #=q
          • 0x10e6c:$j: #=q
          • 0x10e9c:$j: #=q
          • 0x10eb8:$j: #=q
          21.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0x1018d:$x1: NanoCore.ClientPluginHost
          • 0x101ca:$x2: IClientNetworkHost
          • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
          Click to see the 11 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SUR BL 00957WE .exe, ProcessId: 4100, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XRgItgAeBZGif' /XML 'C:\Users\user\AppData\Local\Temp\tmp86E7.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XRgItgAeBZGif' /XML 'C:\Users\user\AppData\Local\Temp\tmp86E7.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\SUR BL 00957WE .exe' , ParentImage: C:\Users\user\Desktop\SUR BL 00957WE .exe, ParentProcessId: 6832, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XRgItgAeBZGif' /XML 'C:\Users\user\AppData\Local\Temp\tmp86E7.tmp', ProcessId: 68

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 23%Perma Link
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 29%
          Source: C:\Users\user\AppData\Roaming\XRgItgAeBZGif.exeVirustotal: Detection: 23%Perma Link
          Source: C:\Users\user\AppData\Roaming\XRgItgAeBZGif.exeReversingLabs: Detection: 29%
          Multi AV Scanner detection for submitted fileShow sources
          Source: SUR BL 00957WE .exeVirustotal: Detection: 23%Perma Link
          Source: SUR BL 00957WE .exeReversingLabs: Detection: 27%
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000000E.00000002.411966915.0000000003B59000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.411437458.0000000002B51000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.411625331.0000000003FB9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.414095694.0000000003859000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.428439757.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.624467782.0000000002C11000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.430423153.00000000039A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.365228580.0000000004159000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.621722738.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.396933933.0000000003CD9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.408809629.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.430306727.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.411299047.0000000002FB1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.393263456.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.409627149.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6884, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SUR BL 00957WE .exe PID: 4100, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6556, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SUR BL 00957WE .exe PID: 7116, type: MEMORY
          Source: Yara matchFile source: 3.2.SUR BL 00957WE .exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.SUR BL 00957WE .exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\XRgItgAeBZGif.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: SUR BL 00957WE .exeJoe Sandbox ML: detected
          Source: 3.2.SUR BL 00957WE .exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 14.2.SUR BL 00957WE .exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 21.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 17.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49725 -> 79.134.225.106:1122
          Uses dynamic DNS servicesShow sources
          Source: unknownDNS query: name: ruffella.ddns.net
          Source: global trafficTCP traffic: 192.168.2.3:49725 -> 79.134.225.106:1122
          Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
          Source: unknownDNS traffic detected: queries for: ruffella.ddns.net
          Source: SUR BL 00957WE .exe, 00000003.00000002.624680030.0000000002C7E000.00000004.00000001.sdmpString found in binary or memory: http://google.com
          Source: SUR BL 00957WE .exe, 00000000.00000002.364856330.0000000003151000.00000004.00000001.sdmp, SUR BL 00957WE .exe, 00000003.00000002.624467782.0000000002C11000.00000004.00000001.sdmp, SUR BL 00957WE .exe, 00000008.00000002.392237823.00000000031A1000.00000004.00000001.sdmp, dhcpmon.exe, 00000009.00000002.395109851.0000000002CD1000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.411747616.0000000002851000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: dhcpmon.exe, 00000009.00000002.393635372.0000000001048000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: SUR BL 00957WE .exe, 0000000E.00000002.411966915.0000000003B59000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000000E.00000002.411966915.0000000003B59000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.411437458.0000000002B51000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.411625331.0000000003FB9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.414095694.0000000003859000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.428439757.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.624467782.0000000002C11000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.430423153.00000000039A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.365228580.0000000004159000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.621722738.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.396933933.0000000003CD9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.408809629.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.430306727.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.411299047.0000000002FB1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.393263456.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.409627149.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6884, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SUR BL 00957WE .exe PID: 4100, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6556, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SUR BL 00957WE .exe PID: 7116, type: MEMORY
          Source: Yara matchFile source: 3.2.SUR BL 00957WE .exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.SUR BL 00957WE .exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000003.00000002.624680030.0000000002C7E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000E.00000002.411966915.0000000003B59000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000E.00000002.411437458.0000000002B51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000003.00000003.534183290.0000000004836000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000011.00000002.411625331.0000000003FB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000010.00000002.414095694.0000000003859000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000010.00000002.414095694.0000000003859000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000015.00000002.428439757.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000015.00000002.428439757.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000015.00000002.430423153.00000000039A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.365228580.0000000004159000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.365228580.0000000004159000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000003.00000002.621722738.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000003.00000002.621722738.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.396933933.0000000003CD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.396933933.0000000003CD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000E.00000002.408809629.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000E.00000002.408809629.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000015.00000002.430306727.00000000029A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000011.00000002.411299047.0000000002FB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000008.00000002.393263456.00000000041A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000008.00000002.393263456.00000000041A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000011.00000002.409627149.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000011.00000002.409627149.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: dhcpmon.exe PID: 6884, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 6884, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: SUR BL 00957WE .exe PID: 4100, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: SUR BL 00957WE .exe PID: 4100, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: dhcpmon.exe PID: 6556, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 6556, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: SUR BL 00957WE .exe PID: 7116, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: SUR BL 00957WE .exe PID: 7116, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 3.2.SUR BL 00957WE .exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 3.2.SUR BL 00957WE .exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 14.2.SUR BL 00957WE .exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 14.2.SUR BL 00957WE .exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 0_2_00BDBF7B0_2_00BDBF7B
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 0_2_0161E3F10_2_0161E3F1
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 0_2_0161E4000_2_0161E400
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 0_2_0161BB840_2_0161BB84
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 0_2_061C00330_2_061C0033
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 0_2_061C00400_2_061C0040
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 0_2_061CBD580_2_061CBD58
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 0_2_061C09B50_2_061C09B5
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 0_2_061F67C80_2_061F67C8
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 0_2_061F67B90_2_061F67B9
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 0_2_061F5D6B0_2_061F5D6B
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 0_2_061F5DB80_2_061F5DB8
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 0_2_061F5DC80_2_061F5DC8
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 0_2_061F0A6D0_2_061F0A6D
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 3_2_0080BF7B3_2_0080BF7B
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 3_2_010BE4713_2_010BE471
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 3_2_010BE4803_2_010BE480
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 3_2_010BBBD43_2_010BBBD4
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 8_2_00DCBF7B8_2_00DCBF7B
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 8_2_055FE4008_2_055FE400
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 8_2_055FE3F18_2_055FE3F1
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 8_2_055FBB848_2_055FBB84
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 8_2_0576B1388_2_0576B138
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 8_2_057691B88_2_057691B8
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 8_2_057640F88_2_057640F8
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 8_2_05765D288_2_05765D28
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 8_2_0576DE388_2_0576DE38
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 8_2_057648E88_2_057648E8
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 8_2_05768A508_2_05768A50
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 8_2_05765A008_2_05765A00
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 8_2_05764E238_2_05764E23
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 8_2_0576EEE08_2_0576EEE0
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 8_2_0576EED08_2_0576EED0
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 8_2_0576491D8_2_0576491D
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 8_2_057648D98_2_057648D9
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 8_2_0576EAF18_2_0576EAF1
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 8_2_05765AA18_2_05765AA1
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 8_2_063D00318_2_063D0031
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 8_2_063D00408_2_063D0040
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 8_2_063DBD588_2_063DBD58
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeCode function: 8_2_063D09B58_2_063D09B5
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_008FBF7B9_2_008FBF7B
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_02C2E3F19_2_02C2E3F1
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_02C2E4009_2_02C2E400
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_02C2BB849_2_02C2BB84
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_0602BD589_2_0602BD58
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_060200319_2_06020031
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_060200409_2_06020040
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_060209B59_2_060209B5
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_060567C89_2_060567C8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_060567B99_2_060567B9
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_06055D6B9_2_06055D6B
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_06055DC39_2_06055DC3
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_06055DC89_2_06055DC8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_06050A6D9_2_06050A6D
          Source: SUR BL 00957WE .exe, 00000000.00000003.357577960.00000000012B6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEminem.dll< vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 00000000.00000000.354033041.0000000000C5C000.00000002.00020000.sdmpBinary or memory string: OriginalFilename1HRD.exe|. vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 00000000.00000002.368068798.00000000061D0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 00000000.00000002.368068798.00000000061D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 00000000.00000002.368451677.0000000006900000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 00000000.00000002.367270967.0000000005F90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameButterFly.dll< vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 00000003.00000002.624680030.0000000002C7E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 00000003.00000002.624680030.0000000002C7E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 00000003.00000002.624680030.0000000002C7E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 00000003.00000002.624680030.0000000002C7E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 00000003.00000002.624680030.0000000002C7E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 00000003.00000002.624680030.0000000002C7E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 00000003.00000002.624680030.0000000002C7E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 00000003.00000002.624680030.0000000002C7E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 00000003.00000002.624680030.0000000002C7E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 00000003.00000002.624680030.0000000002C7E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 00000003.00000002.624680030.0000000002C7E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 00000003.00000003.534183290.0000000004836000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 00000003.00000003.534183290.0000000004836000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 00000003.00000003.534183290.0000000004836000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 00000003.00000002.624467782.0000000002C11000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 00000003.00000000.363362705.000000000088C000.00000002.00020000.sdmpBinary or memory string: OriginalFilename1HRD.exe|. vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 00000008.00000002.400743511.0000000006AD0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 00000008.00000002.400743511.0000000006AD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 00000008.00000002.391076235.0000000000E4C000.00000002.00020000.sdmpBinary or memory string: OriginalFilename1HRD.exe|. vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 00000008.00000002.392337816.00000000031DC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEminem.dll< vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 00000008.00000002.399761476.00000000069D0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 0000000E.00000002.411966915.0000000003B59000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 0000000E.00000002.411966915.0000000003B59000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 0000000E.00000002.411966915.0000000003B59000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exe, 0000000E.00000002.409383915.00000000007FC000.00000002.00020000.sdmpBinary or memory string: OriginalFilename1HRD.exe|. vs SUR BL 00957WE .exe
          Source: SUR BL 00957WE .exeBinary or memory string: OriginalFilename1HRD.exe|. vs SUR BL 00957WE .exe
          Source: 00000003.00000002.624680030.0000000002C7E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000E.00000002.411966915.0000000003B59000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000E.00000002.411437458.0000000002B51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000003.00000003.534183290.0000000004836000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000011.00000002.411625331.0000000003FB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000010.00000002.414095694.0000000003859000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000010.00000002.414095694.0000000003859000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000015.00000002.428439757.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000015.00000002.428439757.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000015.00000002.430423153.00000000039A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000002.365228580.0000000004159000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.365228580.0000000004159000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000003.00000002.621722738.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000003.00000002.621722738.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.396933933.0000000003CD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.396933933.0000000003CD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000E.00000002.408809629.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000E.00000002.408809629.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000015.00000002.430306727.00000000029A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000011.00000002.411299047.0000000002FB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000008.00000002.393263456.00000000041A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000008.00000002.393263456.00000000041A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000011.00000002.409627149.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000011.00000002.409627149.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: dhcpmon.exe PID: 6884, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: dhcpmon.exe PID: 6884, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: SUR BL 00957WE .exe PID: 4100, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: SUR BL 00957WE .exe PID: 4100, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: dhcpmon.exe PID: 6556, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: dhcpmon.exe PID: 6556, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: SUR BL 00957WE .exe PID: 7116, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: SUR BL 00957WE .exe PID: 7116, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 3.2.SUR BL 00957WE .exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 3.2.SUR BL 00957WE .exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.2.SUR BL 00957WE .exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 14.2.SUR BL 00957WE .exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 14.2.SUR BL 00957WE .exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 14.2.SUR BL 00957WE .exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: SUR BL 00957WE .exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: XRgItgAeBZGif.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: dhcpmon.exe.3.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: SUR BL 00957WE .exe, u0002u2000.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: XRgItgAeBZGif.exe.0.dr, u0002u2000.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 0.0.SUR BL 00957WE .exe.bd0000.0.unpack, u0002u2000.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 0.2.SUR BL 00957WE .exe.bd0000.0.unpack, u0002u2000.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: dhcpmon.exe.3.dr, u0002u2000.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 3.2.SUR BL 00957WE .exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: classification engineClassification label: mal100.troj.evad.winEXE@30/17@2/1
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeFile created: C:\Users\user\AppData\Roaming\XRgItgAeBZGif.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6104:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2452:120:WilError_01
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeMutant created: \Sessions\1\BaseNamedObjects\Global\{06e7bbf5-110b-4d73-baba-9d6aeece3a75}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:592:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6804:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_01
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeFile created: C:\Users\user\AppData\Local\Temp\tmp86E7.tmpJump to behavior
          Source: SUR BL 00957WE .exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: SUR BL 00957WE .exeVirustotal: Detection: 23%
          Source: SUR BL 00957WE .exeReversingLabs: Detection: 27%
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeFile read: C:\Users\user\Desktop\SUR BL 00957WE .exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\SUR BL 00957WE .exe 'C:\Users\user\Desktop\SUR BL 00957WE .exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XRgItgAeBZGif' /XML 'C:\Users\user\AppData\Local\Temp\tmp86E7.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\SUR BL 00957WE .exe C:\Users\user\Desktop\SUR BL 00957WE .exe
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp92CE.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp957F.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\SUR BL 00957WE .exe 'C:\Users\user\Desktop\SUR BL 00957WE .exe' 0
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XRgItgAeBZGif' /XML 'C:\Users\user\AppData\Local\Temp\tmpAE36.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XRgItgAeBZGif' /XML 'C:\Users\user\AppData\Local\Temp\tmpB20E.tmp'
          Source: unknownProcess created: C:\Users\user\Desktop\SUR BL 00957WE .exe C:\Users\user\Desktop\SUR BL 00957WE .exe
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XRgItgAeBZGif' /XML 'C:\Users\user\AppData\Local\Temp\tmpD47B.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XRgItgAeBZGif' /XML 'C:\Users\user\AppData\Local\Temp\tmp86E7.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeProcess created: C:\Users\user\Desktop\SUR BL 00957WE .exe C:\Users\user\Desktop\SUR BL 00957WE .exeJump to behavior
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp92CE.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp957F.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XRgItgAeBZGif' /XML 'C:\Users\user\AppData\Local\Temp\tmpAE36.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeProcess created: C:\Users\user\Desktop\SUR BL 00957WE .exe C:\Users\user\Desktop\SUR BL 00957WE .exeJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XRgItgAeBZGif' /XML 'C:\Users\user\AppData\Local\Temp\tmpB20E.tmp'Jump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XRgItgAeBZGif' /XML 'C:\Users\user\AppData\Local\Temp\tmpD47B.tmp'
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\SUR BL 00957WE .exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll