Loading ...

Play interactive tourEdit tour

Analysis Report Y3gAvT9q.exe

Overview

General Information

Sample Name:Y3gAvT9q.exe
Analysis ID:289362
MD5:8c2fe908ff9c5bb26effeef4aa049576
SHA1:b1ce9421180a6d33a725e4f40ba257f0dc2259e6
SHA256:aa54381545a2e23e467f23f2074f90c3d669640eb2a1049e5d47f1b9af31845b
Tags:exeNanoCore

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses dynamic DNS services
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample file is different than original file name gathered from version info
Yara signature match

Classification

Startup

  • System is w10x64
  • Y3gAvT9q.exe (PID: 6784 cmdline: 'C:\Users\user\Desktop\Y3gAvT9q.exe' MD5: 8C2FE908FF9C5BB26EFFEEF4AA049576)
  • dhcpmon.exe (PID: 7112 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 8C2FE908FF9C5BB26EFFEEF4AA049576)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["255.255.255.255", "95.180.119.24"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Y3gAvT9q.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1018d:$x1: NanoCore.ClientPluginHost
  • 0x101ca:$x2: IClientNetworkHost
  • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Y3gAvT9q.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xff05:$x1: NanoCore Client.exe
  • 0x1018d:$x2: NanoCore.ClientPluginHost
  • 0x117c6:$s1: PluginCommand
  • 0x117ba:$s2: FileCommand
  • 0x1266b:$s3: PipeExists
  • 0x18422:$s4: PipeCreated
  • 0x101b7:$s5: IClientLoggingHost
Y3gAvT9q.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    Y3gAvT9q.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfef5:$a: NanoCore
    • 0xff05:$a: NanoCore
    • 0x10139:$a: NanoCore
    • 0x1014d:$a: NanoCore
    • 0x1018d:$a: NanoCore
    • 0xff54:$b: ClientPlugin
    • 0x10156:$b: ClientPlugin
    • 0x10196:$b: ClientPlugin
    • 0x1007b:$c: ProjectData
    • 0x10a82:$d: DESCrypto
    • 0x1844e:$e: KeepAlive
    • 0x1643c:$g: LogClientMessage
    • 0x12637:$i: get_Connected
    • 0x10db8:$j: #=q
    • 0x10de8:$j: #=q
    • 0x10e04:$j: #=q
    • 0x10e34:$j: #=q
    • 0x10e50:$j: #=q
    • 0x10e6c:$j: #=q
    • 0x10e9c:$j: #=q
    • 0x10eb8:$j: #=q

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfef5:$a: NanoCore
      • 0xff05:$a: NanoCore
      • 0x10139:$a: NanoCore
      • 0x1014d:$a: NanoCore
      • 0x1018d:$a: NanoCore
      • 0xff54:$b: ClientPlugin
      • 0x10156:$b: ClientPlugin
      • 0x10196:$b: ClientPlugin
      • 0x1007b:$c: ProjectData
      • 0x10a82:$d: DESCrypto
      • 0x1844e:$e: KeepAlive
      • 0x1643c:$g: LogClientMessage
      • 0x12637:$i: get_Connected
      • 0x10db8:$j: #=q
      • 0x10de8:$j: #=q
      • 0x10e04:$j: #=q
      • 0x10e34:$j: #=q
      • 0x10e50:$j: #=q
      • 0x10e6c:$j: #=q
      • 0x10e9c:$j: #=q
      • 0x10eb8:$j: #=q

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.207843679.0000000000E02000.00000002.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xff8d:$x1: NanoCore.ClientPluginHost
      • 0xffca:$x2: IClientNetworkHost
      • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000000.00000000.207843679.0000000000E02000.00000002.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000000.00000000.207843679.0000000000E02000.00000002.00020000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfcf5:$a: NanoCore
        • 0xfd05:$a: NanoCore
        • 0xff39:$a: NanoCore
        • 0xff4d:$a: NanoCore
        • 0xff8d:$a: NanoCore
        • 0xfd54:$b: ClientPlugin
        • 0xff56:$b: ClientPlugin
        • 0xff96:$b: ClientPlugin
        • 0xfe7b:$c: ProjectData
        • 0x10882:$d: DESCrypto
        • 0x1824e:$e: KeepAlive
        • 0x1623c:$g: LogClientMessage
        • 0x12437:$i: get_Connected
        • 0x10bb8:$j: #=q
        • 0x10be8:$j: #=q
        • 0x10c04:$j: #=q
        • 0x10c34:$j: #=q
        • 0x10c50:$j: #=q
        • 0x10c6c:$j: #=q
        • 0x10c9c:$j: #=q
        • 0x10cb8:$j: #=q
        00000000.00000002.476284342.0000000000E02000.00000002.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xff8d:$x1: NanoCore.ClientPluginHost
        • 0xffca:$x2: IClientNetworkHost
        • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        00000000.00000002.476284342.0000000000E02000.00000002.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          Click to see the 24 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.0.dhcpmon.exe.9d0000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0x1018d:$x1: NanoCore.ClientPluginHost
          • 0x101ca:$x2: IClientNetworkHost
          • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
          2.0.dhcpmon.exe.9d0000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0xff05:$x1: NanoCore Client.exe
          • 0x1018d:$x2: NanoCore.ClientPluginHost
          • 0x117c6:$s1: PluginCommand
          • 0x117ba:$s2: FileCommand
          • 0x1266b:$s3: PipeExists
          • 0x18422:$s4: PipeCreated
          • 0x101b7:$s5: IClientLoggingHost
          2.0.dhcpmon.exe.9d0000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
            2.0.dhcpmon.exe.9d0000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
            • 0xfef5:$a: NanoCore
            • 0xff05:$a: NanoCore
            • 0x10139:$a: NanoCore
            • 0x1014d:$a: NanoCore
            • 0x1018d:$a: NanoCore
            • 0xff54:$b: ClientPlugin
            • 0x10156:$b: ClientPlugin
            • 0x10196:$b: ClientPlugin
            • 0x1007b:$c: ProjectData
            • 0x10a82:$d: DESCrypto
            • 0x1844e:$e: KeepAlive
            • 0x1643c:$g: LogClientMessage
            • 0x12637:$i: get_Connected
            • 0x10db8:$j: #=q
            • 0x10de8:$j: #=q
            • 0x10e04:$j: #=q
            • 0x10e34:$j: #=q
            • 0x10e50:$j: #=q
            • 0x10e6c:$j: #=q
            • 0x10e9c:$j: #=q
            • 0x10eb8:$j: #=q
            0.2.Y3gAvT9q.exe.5e80000.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
            • 0xf7ad:$x1: NanoCore.ClientPluginHost
            • 0xf7da:$x2: IClientNetworkHost
            Click to see the 19 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Y3gAvT9q.exe, ProcessId: 6784, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: Y3gAvT9q.exeAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
            Found malware configurationShow sources
            Source: dhcpmon.exe.7112.2.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["255.255.255.255", "95.180.119.24"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 77%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: Y3gAvT9q.exeVirustotal: Detection: 77%Perma Link
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: Y3gAvT9q.exe, type: SAMPLE
            Source: Yara matchFile source: 00000000.00000000.207843679.0000000000E02000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.476284342.0000000000E02000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.253345668.0000000003121000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000000.234605437.00000000009D2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.483080238.0000000005E80000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.253397277.0000000004121000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.482070403.000000000479A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.250480565.00000000009D2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Y3gAvT9q.exe PID: 6784, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7112, type: MEMORY
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
            Source: Yara matchFile source: 2.0.dhcpmon.exe.9d0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Y3gAvT9q.exe.5e80000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.dhcpmon.exe.9d0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Y3gAvT9q.exe.5e80000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Y3gAvT9q.exe.e00000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.Y3gAvT9q.exe.e00000.0.unpack, type: UNPACKEDPE
            Machine Learning detection for dropped fileShow sources
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: Y3gAvT9q.exeJoe Sandbox ML: detected
            Source: 2.0.dhcpmon.exe.9d0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 0.2.Y3gAvT9q.exe.e00000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 2.2.dhcpmon.exe.9d0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
            Source: 0.0.Y3gAvT9q.exe.e00000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49727 -> 95.180.119.24:6006
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49730 -> 95.180.119.24:6006
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49737 -> 95.180.119.24:6006
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49738 -> 95.180.119.24:6006
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49739 -> 95.180.119.24:6006
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49755 -> 95.180.119.24:6006
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49756 -> 95.180.119.24:6006
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49757 -> 95.180.119.24:6006
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49761 -> 95.180.119.24:6006
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49762 -> 95.180.119.24:6006
            Uses dynamic DNS servicesShow sources
            Source: unknownDNS query: name: kurcinasmrdljiva.ddns.net
            Source: global trafficTCP traffic: 192.168.2.4:49718 -> 95.180.119.24:6006
            Source: Joe Sandbox ViewASN Name: SERBIA-BROADBAND-ASSerbiaBroadBand-SrpskeKablovskemreze SERBIA-BROADBAND-ASSerbiaBroadBand-SrpskeKablovskemreze
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeCode function: 0_2_057B2AAE WSARecv,0_2_057B2AAE
            Source: unknownDNS traffic detected: queries for: kurcinasmrdljiva.ddns.net
            Source: dhcpmon.exe, 00000002.00000002.251633355.00000000011B8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: Y3gAvT9q.exe, 00000000.00000002.483080238.0000000005E80000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

            E-Banking Fraud:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: Y3gAvT9q.exe, type: SAMPLE
            Source: Yara matchFile source: 00000000.00000000.207843679.0000000000E02000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.476284342.0000000000E02000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.253345668.0000000003121000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000000.234605437.00000000009D2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.483080238.0000000005E80000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.253397277.0000000004121000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.482070403.000000000479A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.250480565.00000000009D2000.00000002.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Y3gAvT9q.exe PID: 6784, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7112, type: MEMORY
            Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
            Source: Yara matchFile source: 2.0.dhcpmon.exe.9d0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Y3gAvT9q.exe.5e80000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.dhcpmon.exe.9d0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Y3gAvT9q.exe.5e80000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Y3gAvT9q.exe.e00000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.Y3gAvT9q.exe.e00000.0.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: Y3gAvT9q.exe, type: SAMPLEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Y3gAvT9q.exe, type: SAMPLEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000000.207843679.0000000000E02000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000000.00000000.207843679.0000000000E02000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.476284342.0000000000E02000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000000.00000002.476284342.0000000000E02000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000002.00000002.253345668.0000000003121000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000002.00000000.234605437.00000000009D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000002.00000000.234605437.00000000009D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.483080238.0000000005E80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000002.00000002.253397277.0000000004121000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.482070403.000000000479A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.482842034.0000000005980000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000002.00000002.250480565.00000000009D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000002.00000002.250480565.00000000009D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: Y3gAvT9q.exe PID: 6784, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: Y3gAvT9q.exe PID: 6784, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: dhcpmon.exe PID: 7112, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: dhcpmon.exe PID: 7112, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 2.0.dhcpmon.exe.9d0000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 2.0.dhcpmon.exe.9d0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.Y3gAvT9q.exe.5e80000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Y3gAvT9q.exe.5980000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 2.2.dhcpmon.exe.9d0000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 2.2.dhcpmon.exe.9d0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.Y3gAvT9q.exe.5e80000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Y3gAvT9q.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Y3gAvT9q.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.0.Y3gAvT9q.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.0.Y3gAvT9q.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeCode function: 0_2_057B131A NtQuerySystemInformation,0_2_057B131A
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeCode function: 0_2_057B12DF NtQuerySystemInformation,0_2_057B12DF
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 2_2_00FF2477 NtCreateTransaction,2_2_00FF2477
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeCode function: 0_2_00E0524A0_2_00E0524A
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeCode function: 0_2_0340AFF00_2_0340AFF0
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeCode function: 0_2_034087900_2_03408790
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeCode function: 0_2_034023A00_2_034023A0
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeCode function: 0_2_03402FA80_2_03402FA8
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeCode function: 0_2_034038500_2_03403850
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeCode function: 0_2_034093900_2_03409390
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeCode function: 0_2_034094570_2_03409457
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeCode function: 0_2_0340306F0_2_0340306F
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 2_2_009D524A2_2_009D524A
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 2_2_00FF24772_2_00FF2477
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 2_2_02C92FA82_2_02C92FA8
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 2_2_02C923A02_2_02C923A0
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 2_2_02C938502_2_02C93850
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 2_2_02C9306F2_2_02C9306F
            Source: Y3gAvT9q.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: dhcpmon.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Y3gAvT9q.exe, 00000000.00000002.483181172.00000000060E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Y3gAvT9q.exe
            Source: Y3gAvT9q.exe, 00000000.00000002.483080238.0000000005E80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Y3gAvT9q.exe
            Source: Y3gAvT9q.exe, 00000000.00000002.483441874.0000000006AF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Y3gAvT9q.exe
            Source: Y3gAvT9q.exe, 00000000.00000002.482482091.00000000057A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Y3gAvT9q.exe
            Source: Y3gAvT9q.exe, 00000000.00000002.482070403.000000000479A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Y3gAvT9q.exe
            Source: Y3gAvT9q.exe, 00000000.00000002.482942181.0000000005BA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Y3gAvT9q.exe
            Source: Y3gAvT9q.exe, type: SAMPLEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: Y3gAvT9q.exe, type: SAMPLEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: Y3gAvT9q.exe, type: SAMPLEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000000.00000000.207843679.0000000000E02000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000000.00000000.207843679.0000000000E02000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000000.00000002.476284342.0000000000E02000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000000.00000002.476284342.0000000000E02000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000002.00000002.253345668.0000000003121000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000002.00000000.234605437.00000000009D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000002.00000000.234605437.00000000009D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000000.00000002.483080238.0000000005E80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000000.00000002.483080238.0000000005E80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000002.00000002.253397277.0000000004121000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000000.00000002.482070403.000000000479A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000000.00000002.482842034.0000000005980000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000000.00000002.482842034.0000000005980000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000002.00000002.250480565.00000000009D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000002.00000002.250480565.00000000009D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Process Memory Space: Y3gAvT9q.exe PID: 6784, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: Process Memory Space: Y3gAvT9q.exe PID: 6784, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Process Memory Space: dhcpmon.exe PID: 7112, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: Process Memory Space: dhcpmon.exe PID: 7112, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 2.0.dhcpmon.exe.9d0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 2.0.dhcpmon.exe.9d0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 2.0.dhcpmon.exe.9d0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.Y3gAvT9q.exe.5e80000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Y3gAvT9q.exe.5e80000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.Y3gAvT9q.exe.5980000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Y3gAvT9q.exe.5980000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 2.2.dhcpmon.exe.9d0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 2.2.dhcpmon.exe.9d0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 2.2.dhcpmon.exe.9d0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.Y3gAvT9q.exe.5e80000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Y3gAvT9q.exe.5e80000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.Y3gAvT9q.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Y3gAvT9q.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.Y3gAvT9q.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.0.Y3gAvT9q.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.0.Y3gAvT9q.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.0.Y3gAvT9q.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Y3gAvT9q.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: Y3gAvT9q.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
            Source: Y3gAvT9q.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
            Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: dhcpmon.exe.0.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
            Source: dhcpmon.exe.0.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.Y3gAvT9q.exe.e00000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.2.Y3gAvT9q.exe.e00000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.Y3gAvT9q.exe.e00000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 2.2.dhcpmon.exe.9d0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 2.2.dhcpmon.exe.9d0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 2.0.dhcpmon.exe.9d0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 2.0.dhcpmon.exe.9d0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.0.Y3gAvT9q.exe.e00000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 0.0.Y3gAvT9q.exe.e00000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: Y3gAvT9q.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: Y3gAvT9q.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.Y3gAvT9q.exe.e00000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 0.2.Y3gAvT9q.exe.e00000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: classification engineClassification label: mal100.troj.evad.winEXE@2/4@11/2
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeCode function: 0_2_057B10DA AdjustTokenPrivileges,0_2_057B10DA
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeCode function: 0_2_057B10A3 AdjustTokenPrivileges,0_2_057B10A3
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{5dfffee2-a2d6-4f71-bbc8-4e2c894ac926}
            Source: Y3gAvT9q.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Y3gAvT9q.exeVirustotal: Detection: 77%
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeFile read: C:\Users\user\Desktop\Y3gAvT9q.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Y3gAvT9q.exe 'C:\Users\user\Desktop\Y3gAvT9q.exe'
            Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: Y3gAvT9q.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: Y3gAvT9q.exe, 00000000.00000002.478307301.0000000003415000.00000004.00000040.sdmp
            Source: Binary string: mscorrc.pdb source: Y3gAvT9q.exe, 00000000.00000002.482942181.0000000005BA0000.00000002.00000001.sdmp
            Source: Y3gAvT9q.exe, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: Y3gAvT9q.exe, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: dhcpmon.exe.0.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: dhcpmon.exe.0.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: 0.2.Y3gAvT9q.exe.e00000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: 0.2.Y3gAvT9q.exe.e00000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: 0.0.Y3gAvT9q.exe.e00000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: 0.0.Y3gAvT9q.exe.e00000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: 2.0.dhcpmon.exe.9d0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: 2.0.dhcpmon.exe.9d0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: 2.2.dhcpmon.exe.9d0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
            Source: 2.2.dhcpmon.exe.9d0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeFile opened: C:\Users\user\Desktop\Y3gAvT9q.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeWindow / User API: threadDelayed 1288Jump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeWindow / User API: foregroundWindowGot 855Jump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exe TID: 6816Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exe TID: 6812Thread sleep time: -180000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7164Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeCode function: 0_2_057B0D66 GetSystemInfo,0_2_057B0D66
            Source: Y3gAvT9q.exe, 00000000.00000002.483441874.0000000006AF0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: Y3gAvT9q.exe, 00000000.00000002.483441874.0000000006AF0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: Y3gAvT9q.exe, 00000000.00000002.483441874.0000000006AF0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: Y3gAvT9q.exe, 00000000.00000002.483441874.0000000006AF0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Users\user\Desktop\Y3gAvT9q.exeProcess information queried: ProcessInformationJump to behavior