Loading ...

Play interactive tourEdit tour

Analysis Report c3CHFtE8lI.exe

Overview

General Information

Sample Name:c3CHFtE8lI.exe
Analysis ID:287822
MD5:1cf26a96c17dbab78096a376a904d334
SHA1:a388ed048b725f09fa1415bc49ee5210810a0202
SHA256:8a170584ad7402c1bee5b9c0932475bce9eef45d40b0774594a8df01eb9737db
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • c3CHFtE8lI.exe (PID: 6784 cmdline: 'C:\Users\user\Desktop\c3CHFtE8lI.exe' MD5: 1CF26A96C17DBAB78096A376A904D334)
    • schtasks.exe (PID: 7028 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZbPSGyp' /XML 'C:\Users\user\AppData\Local\Temp\tmp4FCD.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • c3CHFtE8lI.exe (PID: 7072 cmdline: C:\Users\user\Desktop\c3CHFtE8lI.exe MD5: 1CF26A96C17DBAB78096A376A904D334)
    • c3CHFtE8lI.exe (PID: 7080 cmdline: C:\Users\user\Desktop\c3CHFtE8lI.exe MD5: 1CF26A96C17DBAB78096A376A904D334)
      • schtasks.exe (PID: 7112 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp66C0.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 7124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 4892 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp69DE.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • c3CHFtE8lI.exe (PID: 2912 cmdline: C:\Users\user\Desktop\c3CHFtE8lI.exe 0 MD5: 1CF26A96C17DBAB78096A376A904D334)
    • schtasks.exe (PID: 6320 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZbPSGyp' /XML 'C:\Users\user\AppData\Local\Temp\tmp7854.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • c3CHFtE8lI.exe (PID: 6360 cmdline: C:\Users\user\Desktop\c3CHFtE8lI.exe MD5: 1CF26A96C17DBAB78096A376A904D334)
    • c3CHFtE8lI.exe (PID: 6196 cmdline: C:\Users\user\Desktop\c3CHFtE8lI.exe MD5: 1CF26A96C17DBAB78096A376A904D334)
  • dhcpmon.exe (PID: 4528 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 1CF26A96C17DBAB78096A376A904D334)
  • dhcpmon.exe (PID: 204 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 1CF26A96C17DBAB78096A376A904D334)
    • schtasks.exe (PID: 6428 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZbPSGyp' /XML 'C:\Users\user\AppData\Local\Temp\tmp9AFF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 7004 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 1CF26A96C17DBAB78096A376A904D334)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["255.255.255.255"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.496347665.0000000005C10000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
00000006.00000002.496347665.0000000005C10000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
00000017.00000002.289256285.0000000004371000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000017.00000002.289256285.0000000004371000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x49a85:$a: NanoCore
    • 0x49ade:$a: NanoCore
    • 0x49b1b:$a: NanoCore
    • 0x49b94:$a: NanoCore
    • 0x5d23f:$a: NanoCore
    • 0x5d254:$a: NanoCore
    • 0x5d289:$a: NanoCore
    • 0x7622b:$a: NanoCore
    • 0x76240:$a: NanoCore
    • 0x76275:$a: NanoCore
    • 0x49ae7:$b: ClientPlugin
    • 0x49b24:$b: ClientPlugin
    • 0x4a422:$b: ClientPlugin
    • 0x4a42f:$b: ClientPlugin
    • 0x5cffb:$b: ClientPlugin
    • 0x5d016:$b: ClientPlugin
    • 0x5d046:$b: ClientPlugin
    • 0x5d25d:$b: ClientPlugin
    • 0x5d292:$b: ClientPlugin
    • 0x75fe7:$b: ClientPlugin
    • 0x76002:$b: ClientPlugin
    00000013.00000002.273770605.00000000030F6000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      Click to see the 61 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.c3CHFtE8lI.exe.5c10000.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      6.2.c3CHFtE8lI.exe.5c10000.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      6.2.c3CHFtE8lI.exe.5eb0000.6.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xf7ad:$x1: NanoCore.ClientPluginHost
      • 0xf7da:$x2: IClientNetworkHost
      6.2.c3CHFtE8lI.exe.5eb0000.6.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xf7ad:$x2: NanoCore.ClientPluginHost
      • 0x10888:$s4: PipeCreated
      • 0xf7c7:$s5: IClientLoggingHost
      6.2.c3CHFtE8lI.exe.5eb0000.6.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 15 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\c3CHFtE8lI.exe, ProcessId: 7080, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZbPSGyp' /XML 'C:\Users\user\AppData\Local\Temp\tmp4FCD.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZbPSGyp' /XML 'C:\Users\user\AppData\Local\Temp\tmp4FCD.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\c3CHFtE8lI.exe' , ParentImage: C:\Users\user\Desktop\c3CHFtE8lI.exe, ParentProcessId: 6784, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZbPSGyp' /XML 'C:\Users\user\AppData\Local\Temp\tmp4FCD.tmp', ProcessId: 7028

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: c3CHFtE8lI.exe.7080.6.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["255.255.255.255"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 37%Perma Link
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 52%
        Source: C:\Users\user\AppData\Roaming\ZbPSGyp.exeVirustotal: Detection: 37%Perma Link
        Source: C:\Users\user\AppData\Roaming\ZbPSGyp.exeReversingLabs: Detection: 52%
        Multi AV Scanner detection for submitted fileShow sources
        Source: c3CHFtE8lI.exeVirustotal: Detection: 37%Perma Link
        Source: c3CHFtE8lI.exeReversingLabs: Detection: 52%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000017.00000002.289256285.0000000004371000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.485944769.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.274055566.0000000003F81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.285333181.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.272390348.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.289154085.0000000003371000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.274010249.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.273957182.0000000004081000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.494739120.0000000004407000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.264334250.0000000003A41000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.496474525.0000000005EB0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.257732423.0000000003BE1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.236317723.0000000003C61000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: c3CHFtE8lI.exe PID: 6196, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: c3CHFtE8lI.exe PID: 6784, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 204, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: c3CHFtE8lI.exe PID: 7080, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7004, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: c3CHFtE8lI.exe PID: 2912, type: MEMORY
        Source: Yara matchFile source: 6.2.c3CHFtE8lI.exe.5eb0000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.c3CHFtE8lI.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.c3CHFtE8lI.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.c3CHFtE8lI.exe.5eb0000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\ZbPSGyp.exeJoe Sandbox ML: detected
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: c3CHFtE8lI.exeJoe Sandbox ML: detected
        Source: 6.2.c3CHFtE8lI.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 17.2.c3CHFtE8lI.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 23.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: global trafficTCP traffic: 192.168.2.4:49716 -> 185.165.153.6:2786
        Source: unknownDNS traffic detected: queries for: yawalessinc.hopto.org
        Source: dhcpmon.exe, 0000000C.00000002.250273421.0000000000C88000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: c3CHFtE8lI.exe, 00000006.00000002.494739120.0000000004407000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000017.00000002.289256285.0000000004371000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.485944769.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.274055566.0000000003F81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.285333181.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.272390348.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.289154085.0000000003371000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.274010249.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.273957182.0000000004081000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.494739120.0000000004407000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.264334250.0000000003A41000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.496474525.0000000005EB0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.257732423.0000000003BE1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.236317723.0000000003C61000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: c3CHFtE8lI.exe PID: 6196, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: c3CHFtE8lI.exe PID: 6784, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 204, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: c3CHFtE8lI.exe PID: 7080, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7004, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: c3CHFtE8lI.exe PID: 2912, type: MEMORY
        Source: Yara matchFile source: 6.2.c3CHFtE8lI.exe.5eb0000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.c3CHFtE8lI.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.c3CHFtE8lI.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.c3CHFtE8lI.exe.5eb0000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000006.00000002.496347665.0000000005C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000017.00000002.289256285.0000000004371000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.485944769.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000002.485944769.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.274055566.0000000003F81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000017.00000002.285333181.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000017.00000002.285333181.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.272390348.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000011.00000002.272390348.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000017.00000002.289154085.0000000003371000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.274010249.0000000002F81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000013.00000002.273957182.0000000004081000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000013.00000002.273957182.0000000004081000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.494739120.0000000004407000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.264334250.0000000003A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.264334250.0000000003A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.496474525.0000000005EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.257732423.0000000003BE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.257732423.0000000003BE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.236317723.0000000003C61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.236317723.0000000003C61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: c3CHFtE8lI.exe PID: 6196, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: c3CHFtE8lI.exe PID: 6196, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: c3CHFtE8lI.exe PID: 6784, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: c3CHFtE8lI.exe PID: 6784, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 204, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 204, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: c3CHFtE8lI.exe PID: 7080, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: c3CHFtE8lI.exe PID: 7080, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 7004, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 7004, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: c3CHFtE8lI.exe PID: 2912, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: c3CHFtE8lI.exe PID: 2912, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.c3CHFtE8lI.exe.5c10000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.c3CHFtE8lI.exe.5eb0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.c3CHFtE8lI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.c3CHFtE8lI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.c3CHFtE8lI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.c3CHFtE8lI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.c3CHFtE8lI.exe.5eb0000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 23.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 23.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 1_2_054A12AE NtQuerySystemInformation,1_2_054A12AE
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 1_2_054A1281 NtQuerySystemInformation,1_2_054A1281
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 6_2_054E16DA NtQuerySystemInformation,6_2_054E16DA
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 6_2_054E169F NtQuerySystemInformation,6_2_054E169F
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 11_2_04EC0EEE NtQuerySystemInformation,11_2_04EC0EEE
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 11_2_04EC0EC1 NtQuerySystemInformation,11_2_04EC0EC1
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 1_2_005A5B101_2_005A5B10
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 1_2_027E1B881_2_027E1B88
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 1_2_027E91501_2_027E9150
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 1_2_027E09001_2_027E0900
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 1_2_027E33181_2_027E3318
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 1_2_027E33171_2_027E3317
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 1_2_027E0F0A1_2_027E0F0A
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 1_2_027E33071_2_027E3307
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 1_2_027E9FE81_2_027E9FE8
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 1_2_027E2FA71_2_027E2FA7
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 1_2_027E1C301_2_027E1C30
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 1_2_027E35681_2_027E3568
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 1_2_027E35671_2_027E3567
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 1_2_027E09A21_2_027E09A2
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 1_2_055257E11_2_055257E1
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 1_2_005A29651_2_005A2965
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 5_2_00435B105_2_00435B10
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 5_2_004329655_2_00432965
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 6_2_00B65B106_2_00B65B10
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 6_2_030623A06_2_030623A0
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 6_2_03062FA86_2_03062FA8
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 6_2_0306B2A86_2_0306B2A8
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 6_2_030689D86_2_030689D8
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 6_2_0306969F6_2_0306969F
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 6_2_030695D86_2_030695D8
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 6_2_0306306F6_2_0306306F
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 6_2_00B629656_2_00B62965
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 11_2_003B5B1011_2_003B5B10
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 11_2_04C0915011_2_04C09150
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 11_2_04C0256111_2_04C02561
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 11_2_04C0090011_2_04C00900
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 11_2_04C01B7811_2_04C01B78
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 11_2_04C01C3011_2_04C01C30
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 11_2_04C009A211_2_04C009A2
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 11_2_04C0355A11_2_04C0355A
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 11_2_04C0356811_2_04C03568
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 11_2_04C09FE811_2_04C09FE8
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 11_2_04C02F9811_2_04C02F98
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 11_2_04C0330711_2_04C03307
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 11_2_04C00F0A11_2_04C00F0A
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 11_2_04C0331811_2_04C03318
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 11_2_052157E111_2_052157E1
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 11_2_003B296511_2_003B2965
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_00505B1012_2_00505B10
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_04D3915012_2_04D39150
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_04D3256112_2_04D32561
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_04D3090012_2_04D30900
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_04D31B7812_2_04D31B78
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_04D31C3012_2_04D31C30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_04D309A212_2_04D309A2
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_04D3355812_2_04D33558
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_04D3914012_2_04D39140
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_04D3356812_2_04D33568
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_04D3A22912_2_04D3A229
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_04D39FE812_2_04D39FE8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_04D32F9812_2_04D32F98
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_04D3331812_2_04D33318
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_04D3330712_2_04D33307
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_04D30F0A12_2_04D30F0A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_053457E112_2_053457E1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0050296512_2_00502965
        Source: c3CHFtE8lI.exe, 00000001.00000002.238394187.0000000005B00000.00000002.00000001.sdmpBinary or memory string: originalfilename vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exe, 00000001.00000002.238394187.0000000005B00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exe, 00000001.00000002.237383940.0000000004EF0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEminem.dll< vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exe, 00000001.00000002.237724124.00000000053E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameButterFly.dll< vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exe, 00000001.00000002.237298177.0000000004E90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exe, 00000001.00000002.238132784.0000000005A00000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exe, 00000001.00000000.219713373.000000000062C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamemypo.exe|. vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exe, 00000005.00000000.230601932.00000000004BC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamemypo.exe|. vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exe, 00000006.00000002.496347665.0000000005C10000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exe, 00000006.00000002.496968787.00000000067A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exe, 00000006.00000002.486703114.0000000000BEC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamemypo.exe|. vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exe, 00000006.00000002.496286202.0000000005BB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exe, 00000006.00000002.494739120.0000000004407000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exe, 00000006.00000002.494739120.0000000004407000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exe, 00000006.00000002.495140309.00000000054C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exe, 0000000B.00000002.268165961.0000000005170000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameButterFly.dll< vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exe, 0000000B.00000002.268639603.0000000005A30000.00000002.00000001.sdmpBinary or memory string: originalfilename vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exe, 0000000B.00000002.268639603.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exe, 0000000B.00000002.268429884.0000000005930000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exe, 0000000B.00000002.266843926.0000000004CD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEminem.dll< vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exe, 0000000B.00000000.240892700.000000000043C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamemypo.exe|. vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exe, 0000000B.00000002.266591302.0000000004C70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exe, 00000010.00000000.250405310.000000000009C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamemypo.exe|. vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exe, 00000011.00000002.274055566.0000000003F81000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exe, 00000011.00000002.274055566.0000000003F81000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exe, 00000011.00000002.274055566.0000000003F81000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exe, 00000011.00000000.253871130.00000000009CC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamemypo.exe|. vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exe, 00000011.00000002.276384807.00000000052B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs c3CHFtE8lI.exe
        Source: c3CHFtE8lI.exeBinary or memory string: OriginalFilenamemypo.exe|. vs c3CHFtE8lI.exe
        Source: 00000006.00000002.496347665.0000000005C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000002.496347665.0000000005C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000017.00000002.289256285.0000000004371000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.485944769.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000002.485944769.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.274055566.0000000003F81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000017.00000002.285333181.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000017.00000002.285333181.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.272390348.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000011.00000002.272390348.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000017.00000002.289154085.0000000003371000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.274010249.0000000002F81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000013.00000002.273957182.0000000004081000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000013.00000002.273957182.0000000004081000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.494739120.0000000004407000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.264334250.0000000003A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.264334250.0000000003A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.496474525.0000000005EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000002.496474525.0000000005EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000C.00000002.257732423.0000000003BE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.257732423.0000000003BE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.236317723.0000000003C61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.236317723.0000000003C61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: c3CHFtE8lI.exe PID: 6196, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: c3CHFtE8lI.exe PID: 6196, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: c3CHFtE8lI.exe PID: 6784, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: c3CHFtE8lI.exe PID: 6784, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 204, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 204, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: c3CHFtE8lI.exe PID: 7080, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: c3CHFtE8lI.exe PID: 7080, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 7004, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 7004, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: c3CHFtE8lI.exe PID: 2912, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: c3CHFtE8lI.exe PID: 2912, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.c3CHFtE8lI.exe.5c10000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.c3CHFtE8lI.exe.5c10000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 6.2.c3CHFtE8lI.exe.5eb0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.c3CHFtE8lI.exe.5eb0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 6.2.c3CHFtE8lI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.c3CHFtE8lI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 6.2.c3CHFtE8lI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.c3CHFtE8lI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.c3CHFtE8lI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.c3CHFtE8lI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.c3CHFtE8lI.exe.5eb0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.c3CHFtE8lI.exe.5eb0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 23.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 23.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 23.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: c3CHFtE8lI.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: ZbPSGyp.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: dhcpmon.exe.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: c3CHFtE8lI.exe, u0002u2000.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: ZbPSGyp.exe.1.dr, u0002u2000.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 1.0.c3CHFtE8lI.exe.5a0000.0.unpack, u0002u2000.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 1.2.c3CHFtE8lI.exe.5a0000.0.unpack, u0002u2000.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 5.0.c3CHFtE8lI.exe.430000.0.unpack, u0002u2000.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: dhcpmon.exe.6.dr, u0002u2000.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@29/13@12/1
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 1_2_054A0E9A AdjustTokenPrivileges,1_2_054A0E9A
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 1_2_054A0E63 AdjustTokenPrivileges,1_2_054A0E63
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 6_2_054E149A AdjustTokenPrivileges,6_2_054E149A
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 6_2_054E1463 AdjustTokenPrivileges,6_2_054E1463
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 11_2_04EC0ADA AdjustTokenPrivileges,11_2_04EC0ADA
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeCode function: 11_2_04EC0AA3 AdjustTokenPrivileges,11_2_04EC0AA3
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeFile created: C:\Users\user\AppData\Roaming\ZbPSGyp.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4888:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6348:120:WilError_01
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{8ff437cf-fde6-4391-9e30-8c4a40988972}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_01
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMutant created: \Sessions\1\BaseNamedObjects\PLtqEnkiTPzYH
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4FCD.tmpJump to behavior
        Source: c3CHFtE8lI.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: c3CHFtE8lI.exeVirustotal: Detection: 37%
        Source: c3CHFtE8lI.exeReversingLabs: Detection: 52%
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeFile read: C:\Users\user\Desktop\c3CHFtE8lI.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\c3CHFtE8lI.exe 'C:\Users\user\Desktop\c3CHFtE8lI.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZbPSGyp' /XML 'C:\Users\user\AppData\Local\Temp\tmp4FCD.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\c3CHFtE8lI.exe C:\Users\user\Desktop\c3CHFtE8lI.exe
        Source: unknownProcess created: C:\Users\user\Desktop\c3CHFtE8lI.exe C:\Users\user\Desktop\c3CHFtE8lI.exe
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp66C0.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp69DE.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\c3CHFtE8lI.exe C:\Users\user\Desktop\c3CHFtE8lI.exe 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZbPSGyp' /XML 'C:\Users\user\AppData\Local\Temp\tmp7854.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\c3CHFtE8lI.exe C:\Users\user\Desktop\c3CHFtE8lI.exe
        Source: unknownProcess created: C:\Users\user\Desktop\c3CHFtE8lI.exe C:\Users\user\Desktop\c3CHFtE8lI.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZbPSGyp' /XML 'C:\Users\user\AppData\Local\Temp\tmp9AFF.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZbPSGyp' /XML 'C:\Users\user\AppData\Local\Temp\tmp4FCD.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeProcess created: C:\Users\user\Desktop\c3CHFtE8lI.exe C:\Users\user\Desktop\c3CHFtE8lI.exeJump to behavior
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeProcess created: C:\Users\user\Desktop\c3CHFtE8lI.exe C:\Users\user\Desktop\c3CHFtE8lI.exeJump to behavior
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp66C0.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp69DE.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZbPSGyp' /XML 'C:\Users\user\AppData\Local\Temp\tmp7854.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeProcess created: C:\Users\user\Desktop\c3CHFtE8lI.exe C:\Users\user\Desktop\c3CHFtE8lI.exeJump to behavior
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeProcess created: C:\Users\user\Desktop\c3CHFtE8lI.exe C:\Users\user\Desktop\c3CHFtE8lI.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZbPSGyp' /XML 'C:\Users\user\AppData\Local\Temp\tmp9AFF.tmp'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: c3CHFtE8lI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: C:\Users\user\Desktop\c3CHFtE8lI.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: c3CHFtE8lI.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: c3CHFtE8lI.exe, 00000006.00000002.489762214.0000000003075000.00000004.00000040.sdmp
        Source: Binary string: mscorrc.pdb source: c3CHFtE8lI.exe, 00000001.00000002.237298177.0000000004E90000.00000002.00000001.sdmp, c3CHFtE8lI.exe, 00000006.00000002.496286202.0000000005BB0000.00000002.00000001.sdmp, c3CHFtE8lI.exe, 0000000B.00000002.266591302.0000000004C70000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.261118174.0000000004DA0000.00000002.00000001.sdmp, dhcpmon.exe, 00000013.00000002.277598671.0000000005250000.00000002.00000001.sdmp

        Data Obfuscation:

        bar