Loading ...

Play interactive tourEdit tour

Analysis Report Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe

Overview

General Information

Sample Name:Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe
Analysis ID:299585
MD5:a0566c1bee832779781affff8c08c6d1
SHA1:14b8f327b05eae93393d53d4c30d4e1d3c294382
SHA256:31528f7d3982ec85fa614472a992d112910dd6e456aca735e3208ad40d049714
Tags:exeNanoCorenVpnRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Contains functionality to detect sleep reduction / modifications
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • dhcpmon.exe (PID: 6264 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: A0566C1BEE832779781AFFFF8C08C6D1)
    • dhcpmon.exe (PID: 6456 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: A0566C1BEE832779781AFFFF8C08C6D1)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.227200394.00000000028A2000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.227200394.00000000028A2000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.227200394.00000000028A2000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000003.00000002.268252744.0000000004552000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000003.00000002.268252744.0000000004552000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 36 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.dhcpmon.exe.b30000.1.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      5.2.dhcpmon.exe.b30000.1.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      5.2.dhcpmon.exe.b30000.1.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        5.2.dhcpmon.exe.b30000.1.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        5.2.dhcpmon.exe.24c0000.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 22 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe, ProcessId: 7076, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Suspicious Double ExtensionShow sources
        Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: 'C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe' , CommandLine: 'C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe' , CommandLine|base64offset|contains: ., Image: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe, NewProcessName: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe, OriginalFileName: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe, ParentCommandLine: 'C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe' , ParentImage: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe, ParentProcessId: 6924, ProcessCommandLine: 'C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe' , ProcessId: 7076

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 41%
        Multi AV Scanner detection for submitted fileShow sources
        Source: Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeReversingLabs: Detection: 41%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.227200394.00000000028A2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.268252744.0000000004552000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.227274303.000000000293B000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.279265235.000000000049B000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.282700333.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.280462055.00000000024C2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.279015699.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.280209082.0000000002432000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.268515889.00000000045EB000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.279821404.0000000000B30000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.282886559.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe PID: 6924, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6456, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6264, type: MEMORY
        Source: Yara matchFile source: 5.2.dhcpmon.exe.b30000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.dhcpmon.exe.24c0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.dhcpmon.exe.4550000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.dhcpmon.exe.b30000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.dhcpmon.exe.44c0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe.28a0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.dhcpmon.exe.2430000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeJoe Sandbox ML: detected
        Source: 3.2.dhcpmon.exe.44c0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 5.2.dhcpmon.exe.2430000.2.unpackAvira: Label: TR/Dropper.Gen
        Source: 5.1.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
        Source: 3.2.dhcpmon.exe.4550000.3.unpackAvira: Label: TR/Dropper.Gen
        Source: 0.2.Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe.28a0000.2.unpackAvira: Label: TR/Dropper.Gen
        Source: 5.2.dhcpmon.exe.24c0000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 5.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
        Source: 1.1.Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_00408868 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408868
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_004059F8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_004059F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 3_2_00408868 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,3_2_00408868
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 3_2_004059F8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,3_2_004059F8

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49728 -> 79.134.225.118:9987
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: engr101.ddns.net
        Source: global trafficTCP traffic: 192.168.2.3:49728 -> 79.134.225.118:9987
        Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
        Source: unknownDNS traffic detected: queries for: engr101.ddns.net
        Source: dhcpmon.exe, 00000005.00000002.282700333.0000000002CF1000.00000004.00000001.sdmpString found in binary or memory: http://google.com
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_00424BD4 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_00424BD4
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_00435C3C GetKeyboardState,0_2_00435C3C
        Source: dhcpmon.exe, 00000005.00000002.282886559.0000000003CF1000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.227200394.00000000028A2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.268252744.0000000004552000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.227274303.000000000293B000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.279265235.000000000049B000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.282700333.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.280462055.00000000024C2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.279015699.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.280209082.0000000002432000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.268515889.00000000045EB000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.279821404.0000000000B30000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.282886559.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe PID: 6924, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6456, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6264, type: MEMORY
        Source: Yara matchFile source: 5.2.dhcpmon.exe.b30000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.dhcpmon.exe.24c0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.dhcpmon.exe.4550000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.dhcpmon.exe.b30000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.dhcpmon.exe.44c0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe.28a0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.dhcpmon.exe.2430000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000000.00000002.227200394.00000000028A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.227200394.00000000028A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.268252744.0000000004552000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.268252744.0000000004552000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.227274303.000000000293B000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.227274303.000000000293B000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.279265235.000000000049B000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.279265235.000000000049B000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.282700333.0000000002CF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.280462055.00000000024C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.280462055.00000000024C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.279015699.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.279015699.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.280209082.0000000002432000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.280209082.0000000002432000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.268515889.00000000045EB000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.268515889.00000000045EB000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.279821404.0000000000B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.279821404.0000000000B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.282886559.0000000003CF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe PID: 6924, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe PID: 6924, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6456, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6456, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6264, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6264, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.dhcpmon.exe.b30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.dhcpmon.exe.b30000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.dhcpmon.exe.24c0000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.dhcpmon.exe.24c0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.dhcpmon.exe.4550000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.dhcpmon.exe.4550000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.dhcpmon.exe.b30000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.dhcpmon.exe.b30000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.dhcpmon.exe.44c0000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.dhcpmon.exe.44c0000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe.28a0000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe.28a0000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.dhcpmon.exe.2430000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.dhcpmon.exe.2430000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_00438B74 NtdllDefWindowProc_A,GetCapture,0_2_00438B74
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_00453908 NtdllDefWindowProc_A,0_2_00453908
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_00454084 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00454084
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_00454134 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00454134
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_004484F8 GetSubMenu,SaveDC,RestoreDC,73BBB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_004484F8
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_0042C860 NtdllDefWindowProc_A,0_2_0042C860
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 3_2_00438B74 NtdllDefWindowProc_A,GetCapture,3_2_00438B74
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 3_2_00453908 NtdllDefWindowProc_A,3_2_00453908
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 3_2_00454084 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,3_2_00454084
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 3_2_00454134 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,3_2_00454134
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 3_2_004484F8 GetSubMenu,SaveDC,RestoreDC,73BBB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,3_2_004484F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 3_2_0042C860 NtdllDefWindowProc_A,3_2_0042C860
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_00494159 NtCreateSection,5_2_00494159
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_004484F80_2_004484F8
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_0044DFDC0_2_0044DFDC
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 3_2_004484F83_2_004484F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 3_2_0044DFDC3_2_0044DFDC
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_0040524A5_2_0040524A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_0048D9765_2_0048D976
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_0049313D5_2_0049313D
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_0049E4A25_2_0049E4A2
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_026123A05_2_026123A0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_02612FA85_2_02612FA8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_0261306F5_2_0261306F
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: String function: 00404258 appears 76 times
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 00404258 appears 76 times
        Source: Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
        Source: Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe, 00000000.00000002.226481553.0000000000528000.00000002.00020000.sdmpBinary or memory string: OriginalFilename$ vs Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe
        Source: Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe, 00000000.00000002.226690239.00000000023F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe
        Source: Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe, 00000001.00000000.225662508.0000000000528000.00000002.00020000.sdmpBinary or memory string: OriginalFilename$ vs Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe
        Source: Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeBinary or memory string: OriginalFilename$ vs Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe
        Source: 00000000.00000002.227200394.00000000028A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.227200394.00000000028A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.268252744.0000000004552000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.268252744.0000000004552000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.227274303.000000000293B000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.227274303.000000000293B000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.279265235.000000000049B000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.279265235.000000000049B000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.282700333.0000000002CF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.280462055.00000000024C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.280462055.00000000024C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.279015699.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.279015699.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.280209082.0000000002432000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.280209082.0000000002432000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.268515889.00000000045EB000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.268515889.00000000045EB000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.279821404.0000000000B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.279821404.0000000000B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000005.00000002.279821404.0000000000B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.282886559.0000000003CF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe PID: 6924, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe PID: 6924, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6456, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6456, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6264, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6264, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.dhcpmon.exe.b30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.dhcpmon.exe.b30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.dhcpmon.exe.b30000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.dhcpmon.exe.24c0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.dhcpmon.exe.24c0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.dhcpmon.exe.24c0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.dhcpmon.exe.4550000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.dhcpmon.exe.4550000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.dhcpmon.exe.b30000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.dhcpmon.exe.b30000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.dhcpmon.exe.b30000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.dhcpmon.exe.44c0000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.dhcpmon.exe.44c0000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe.28a0000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe.28a0000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.dhcpmon.exe.2430000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.dhcpmon.exe.2430000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe.28a0000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 0.2.Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe.28a0000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe.28a0000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 3.2.dhcpmon.exe.4550000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 3.2.dhcpmon.exe.4550000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 3.2.dhcpmon.exe.4550000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 5.2.dhcpmon.exe.2430000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 5.2.dhcpmon.exe.2430000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 5.2.dhcpmon.exe.2430000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 5.2.dhcpmon.exe.2430000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 5.2.dhcpmon.exe.2430000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 5.2.dhcpmon.exe.24c0000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 5.2.dhcpmon.exe.24c0000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 3.2.dhcpmon.exe.4550000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.2.dhcpmon.exe.4550000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 5.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 5.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 0.2.Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe.28a0000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 0.2.Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe.28a0000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@6/6@1/1
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_00421CEC GetLastError,FormatMessageA,0_2_00421CEC
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_004089E0 GetDiskFreeSpaceA,0_2_004089E0
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_00415558 FindResourceA,0_2_00415558
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{2be68f39-5ba4-44f7-a138-f39fcbf9c026}
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeReversingLabs: Detection: 41%
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeFile read: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe 'C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe 'C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe'
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeProcess created: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe 'C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe' Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' Jump to behavior
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeStatic file information: File size 1267200 > 1048576
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: dhcpmon.exe, 00000005.00000002.282700333.0000000002CF1000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: dhcpmon.exe, 00000005.00000002.282700333.0000000002CF1000.00000004.00000001.sdmp
        Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: dhcpmon.exe, 00000005.00000002.282700333.0000000002CF1000.00000004.00000001.sdmp
        Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: dhcpmon.exe, 00000005.00000002.282700333.0000000002CF1000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: dhcpmon.exe, 00000005.00000002.282700333.0000000002CF1000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        Detected unpacking (changes PE section rights)Show sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 5.2.dhcpmon.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.reloc:R;.rsrc:R;
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 5.2.dhcpmon.exe.400000.0.unpack
        .NET source code contains potential unpackerShow sources
        Source: 0.2.Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe.28a0000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.2.Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe.28a0000.2.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.2.dhcpmon.exe.4550000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.2.dhcpmon.exe.4550000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.2.dhcpmon.exe.2430000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.2.dhcpmon.exe.2430000.2.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.2.dhcpmon.exe.24c0000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.2.dhcpmon.exe.24c0000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_0045EB30 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,CreateThread,WaitForSingleObject,0_2_0045EB30
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_0043FF60 push 0043FFEDh; ret 0_2_0043FFE5
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_0042A000 push 0042A02Ch; ret 0_2_0042A024
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_004281AC push 004281D8h; ret 0_2_004281D0
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_00428434 push 00428460h; ret 0_2_00428458
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_004064E2 push 00406535h; ret 0_2_0040652D
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_004064E4 push 00406535h; ret 0_2_0040652D
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_004564A8 push ecx; mov dword ptr [esp], ecx0_2_004564AD
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_0042E658 push 0042E6B1h; ret 0_2_0042E6A9
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_0045E668 push 0045E6DEh; ret 0_2_0045E6D6
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_00418604 push ecx; mov dword ptr [esp], edx0_2_00418606
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_0042E6E0 push 0042E718h; ret 0_2_0042E710
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_004066B4 push 004066E0h; ret 0_2_004066D8
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_0042E774 push 0042E7A0h; ret 0_2_0042E798
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_0040672C push 00406758h; ret 0_2_00406750
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_004147C4 push ecx; mov dword ptr [esp], edx0_2_004147C9
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_0042E8DC push 0042E908h; ret 0_2_0042E900
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_0041E9DE push 0041EA86h; ret 0_2_0041EA7E
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_0041E9E0 push 0041EA86h; ret 0_2_0041EA7E
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_004149EC push ecx; mov dword ptr [esp], edx0_2_004149F1
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_0041EAEA push 0041EDE8h; ret 0_2_0041EDE0
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_00414B4C push ecx; mov dword ptr [esp], edx0_2_00414B51
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_00416B7C push ecx; mov dword ptr [esp], edx0_2_00416B7D
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_00414B08 push ecx; mov dword ptr [esp], edx0_2_00414B0D
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_00458BC0 push 00458BECh; ret 0_2_00458BE4
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_00428BF4 push 00428C20h; ret 0_2_00428C18
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_00458BF8 push 00458C24h; ret 0_2_00458C1C
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_00442BAC push 00442BD8h; ret 0_2_00442BD0
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_00428BB4 push 00428BE0h; ret 0_2_00428BD8
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_0045EC5C push 0045EC82h; ret 0_2_0045EC7A
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_0045EC24 push 0045EC50h; ret 0_2_0045EC48
        Source: C:\Users\user\Desktop\Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exeCode function: 0_2_00458C30 push 00458C5Ch; ret 0_2_00458C54
        Source: 0.2.Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe.28a0000.2.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 0.2.Project Document A02057 NMB TYP PIP SPC 40000_REV_D Spec_scanned from a xerox printer002.pdf.exe.28a0000.2.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.2.dhcpmon.exe.4550000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.2.dhcpmon.exe.4550000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 5.2.dhcpmon.exe.2430000.2.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 5.2.dhcpmon.exe.2430000.2.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 5.2.dhcpmon.exe.24c0000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 5.2.dhcpmon.exe.24c0000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 5.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 5.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'