Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Package_details.exe

Overview

General Information

Sample Name:Package_details.exe
Analysis ID:321402
MD5:ce3c5367fb067a45f5fa10c35ca23a28
SHA1:9d0f4d746747a6fd13a48b1a867eb8d103d9daec
SHA256:e4fc20492ed4f4750766382f6578d84f38bf680646eb6b5193c5733925941f67
Tags:NanoCore

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Connects to many ports of the same IP (likely port scanning)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Package_details.exe (PID: 1092 cmdline: 'C:\Users\user\Desktop\Package_details.exe' MD5: CE3C5367FB067A45F5FA10C35CA23A28)
    • cmd.exe (PID: 4092 cmdline: cmd /c schtasks /Create /TN fonts /XML 'C:\Users\user\AppData\Local\Temp\3b53dd4f8dbc40fcb4ebf67bcf9e21d3.xml' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 2296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5464 cmdline: schtasks /Create /TN fonts /XML 'C:\Users\user\AppData\Local\Temp\3b53dd4f8dbc40fcb4ebf67bcf9e21d3.xml' MD5: 15FF7D8324231381BAD48A052F85DF04)
    • Package_details.exe (PID: 4156 cmdline: C:\Users\user\Desktop\Package_details.exe MD5: CE3C5367FB067A45F5FA10C35CA23A28)
      • schtasks.exe (PID: 5592 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp30A7.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5108 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp33C5.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 1560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Package_details.exe (PID: 5804 cmdline: C:\Users\user\Desktop\Package_details.exe 0 MD5: CE3C5367FB067A45F5FA10C35CA23A28)
    • Package_details.exe (PID: 4168 cmdline: C:\Users\user\Desktop\Package_details.exe MD5: CE3C5367FB067A45F5FA10C35CA23A28)
    • Package_details.exe (PID: 2140 cmdline: C:\Users\user\Desktop\Package_details.exe MD5: CE3C5367FB067A45F5FA10C35CA23A28)
      • Package_details.exe (PID: 6304 cmdline: C:\Users\user\Desktop\Package_details.exe MD5: CE3C5367FB067A45F5FA10C35CA23A28)
  • dhcpmon.exe (PID: 4112 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: CE3C5367FB067A45F5FA10C35CA23A28)
    • dhcpmon.exe (PID: 5712 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: CE3C5367FB067A45F5FA10C35CA23A28)
  • dhcpmon.exe (PID: 4604 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: CE3C5367FB067A45F5FA10C35CA23A28)
    • dhcpmon.exe (PID: 6236 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: CE3C5367FB067A45F5FA10C35CA23A28)
    • dhcpmon.exe (PID: 6296 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: CE3C5367FB067A45F5FA10C35CA23A28)
      • dhcpmon.exe (PID: 6532 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: CE3C5367FB067A45F5FA10C35CA23A28)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.254234385.0000000000400000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x251e5:$x1: NanoCore.ClientPluginHost
  • 0x25222:$x2: IClientNetworkHost
  • 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.254234385.0000000000400000.00000040.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x24f5d:$x1: NanoCore Client.exe
  • 0x251e5:$x2: NanoCore.ClientPluginHost
  • 0x2681e:$s1: PluginCommand
  • 0x26812:$s2: FileCommand
  • 0x276c3:$s3: PipeExists
  • 0x2d47a:$s4: PipeCreated
  • 0x2520f:$s5: IClientLoggingHost
0000000C.00000002.254234385.0000000000400000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000C.00000002.254234385.0000000000400000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x24f4d:$a: NanoCore
    • 0x24f5d:$a: NanoCore
    • 0x25191:$a: NanoCore
    • 0x251a5:$a: NanoCore
    • 0x251e5:$a: NanoCore
    • 0x24fac:$b: ClientPlugin
    • 0x251ae:$b: ClientPlugin
    • 0x251ee:$b: ClientPlugin
    • 0x250d3:$c: ProjectData
    • 0x25ada:$d: DESCrypto
    • 0x2d4a6:$e: KeepAlive
    • 0x2b494:$g: LogClientMessage
    • 0x2768f:$i: get_Connected
    • 0x25e10:$j: #=q
    • 0x25e40:$j: #=q
    • 0x25e5c:$j: #=q
    • 0x25e8c:$j: #=q
    • 0x25ea8:$j: #=q
    • 0x25ec4:$j: #=q
    • 0x25ef4:$j: #=q
    • 0x25f10:$j: #=q
    00000015.00000002.279047270.0000000002F10000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 96 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    12.2.dhcpmon.exe.5760000.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe38d:$x1: NanoCore.ClientPluginHost
    • 0xe3ca:$x2: IClientNetworkHost
    • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    12.2.dhcpmon.exe.5760000.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe105:$x1: NanoCore Client.exe
    • 0xe38d:$x2: NanoCore.ClientPluginHost
    • 0xf9c6:$s1: PluginCommand
    • 0xf9ba:$s2: FileCommand
    • 0x1086b:$s3: PipeExists
    • 0x16622:$s4: PipeCreated
    • 0xe3b7:$s5: IClientLoggingHost
    12.2.dhcpmon.exe.5760000.2.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      12.2.dhcpmon.exe.5760000.2.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xe0f5:$a: NanoCore
      • 0xe105:$a: NanoCore
      • 0xe339:$a: NanoCore
      • 0xe34d:$a: NanoCore
      • 0xe38d:$a: NanoCore
      • 0xe154:$b: ClientPlugin
      • 0xe356:$b: ClientPlugin
      • 0xe396:$b: ClientPlugin
      • 0xe27b:$c: ProjectData
      • 0xec82:$d: DESCrypto
      • 0x1664e:$e: KeepAlive
      • 0x1463c:$g: LogClientMessage
      • 0x10837:$i: get_Connected
      • 0xefb8:$j: #=q
      • 0xefe8:$j: #=q
      • 0xf004:$j: #=q
      • 0xf034:$j: #=q
      • 0xf050:$j: #=q
      • 0xf06c:$j: #=q
      • 0xf09c:$j: #=q
      • 0xf0b8:$j: #=q
      19.2.Package_details.exe.2970000.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 103 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Package_details.exe, ProcessId: 4156, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp30A7.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp30A7.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\Package_details.exe, ParentImage: C:\Users\user\Desktop\Package_details.exe, ParentProcessId: 4156, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp30A7.tmp', ProcessId: 5592

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 34%Perma Link
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 25%
      Multi AV Scanner detection for submitted fileShow sources
      Source: Package_details.exeReversingLabs: Detection: 25%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 0000000C.00000002.254234385.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.279047270.0000000002F10000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.265645463.0000000000BA0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.256685765.0000000001110000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.279458357.00000000042D1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.255480144.00000000057B2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.273459332.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.270080502.0000000002970000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.269469613.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.278607358.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.278916305.0000000001444000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.216025049.0000000001890000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.269644528.0000000000966000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.250138622.00000000024A0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.254375322.00000000013D8000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.243043280.0000000002970000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.255432280.0000000005760000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.239365689.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.270811037.0000000002AD2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.279548840.0000000005472000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.255293475.0000000004651000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6532, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Package_details.exe PID: 5804, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4604, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5712, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Package_details.exe PID: 2140, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4112, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Package_details.exe PID: 6304, type: MEMORY
      Source: Yara matchFile source: 12.2.dhcpmon.exe.5760000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.Package_details.exe.2970000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Package_details.exe.1110000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.Package_details.exe.24e0000.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.dhcpmon.exe.ba0000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.dhcpmon.exe.2970000.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.dhcpmon.exe.5470000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.Package_details.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Package_details.exe.1890000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.dhcpmon.exe.2f10000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.dhcpmon.exe.ba0000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.Package_details.exe.2970000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.5760000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.Package_details.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.dhcpmon.exe.2970000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Package_details.exe.1890000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Package_details.exe.1110000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.Package_details.exe.24e0000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.57b0000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.dhcpmon.exe.2f10000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.Package_details.exe.2ad0000.3.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\AppData\sysfonts.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: Package_details.exeJoe Sandbox ML: detected
      Source: 0.2.Package_details.exe.3160000.4.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 13.2.dhcpmon.exe.2420000.2.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 9.2.Package_details.exe.25c0000.4.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 21.2.dhcpmon.exe.5470000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 0.2.Package_details.exe.1910000.3.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 14.2.Package_details.exe.2fb0000.4.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 10.2.dhcpmon.exe.df0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 14.2.Package_details.exe.2db0000.3.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 19.2.Package_details.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 18.2.dhcpmon.exe.2a40000.4.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 13.2.dhcpmon.exe.2600000.4.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 12.2.dhcpmon.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 12.2.dhcpmon.exe.57b0000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.2.Package_details.exe.d10000.1.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 10.2.dhcpmon.exe.2ae0000.4.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 21.2.dhcpmon.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 18.2.dhcpmon.exe.1040000.3.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 19.2.Package_details.exe.2ad0000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_00404A29 FindFirstFileExW,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 19_2_00404A29 FindFirstFileExW,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_00404A29 FindFirstFileExW,

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49706 -> 209.159.151.5:24980
      Connects to many ports of the same IP (likely port scanning)Show sources
      Source: global trafficTCP traffic: 209.159.151.5 ports 0,2,4,24980,8,9
      Source: global trafficTCP traffic: 192.168.2.3:49706 -> 209.159.151.5:24980
      Source: Joe Sandbox ViewASN Name: IS-AS-1US IS-AS-1US
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: Package_details.exe, 00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmpString found in binary or memory: http://google.com
      Source: dhcpmon.exe, 0000000A.00000002.242645908.0000000000EAA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: dhcpmon.exe, 0000000C.00000002.255256887.000000000365E000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 0000000C.00000002.254234385.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.279047270.0000000002F10000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.265645463.0000000000BA0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.256685765.0000000001110000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.279458357.00000000042D1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.255480144.00000000057B2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.273459332.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.270080502.0000000002970000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.269469613.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.278607358.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.278916305.0000000001444000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.216025049.0000000001890000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.269644528.0000000000966000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.250138622.00000000024A0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.254375322.00000000013D8000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.243043280.0000000002970000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.255432280.0000000005760000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.239365689.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.270811037.0000000002AD2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.279548840.0000000005472000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.255293475.0000000004651000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6532, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Package_details.exe PID: 5804, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4604, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5712, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Package_details.exe PID: 2140, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4112, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Package_details.exe PID: 6304, type: MEMORY
      Source: Yara matchFile source: 12.2.dhcpmon.exe.5760000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.Package_details.exe.2970000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Package_details.exe.1110000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.Package_details.exe.24e0000.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.dhcpmon.exe.ba0000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.dhcpmon.exe.2970000.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.dhcpmon.exe.5470000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.Package_details.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Package_details.exe.1890000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.dhcpmon.exe.2f10000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.dhcpmon.exe.ba0000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.Package_details.exe.2970000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.5760000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.Package_details.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.dhcpmon.exe.2970000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Package_details.exe.1890000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Package_details.exe.1110000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.Package_details.exe.24e0000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.57b0000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.dhcpmon.exe.2f10000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.Package_details.exe.2ad0000.3.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000C.00000002.254234385.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.254234385.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000002.279047270.0000000002F10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000015.00000002.279047270.0000000002F10000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000012.00000002.265645463.0000000000BA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000012.00000002.265645463.0000000000BA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000E.00000002.256685765.0000000001110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000E.00000002.256685765.0000000001110000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000002.279458357.00000000042D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000015.00000002.279458357.00000000042D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.255480144.00000000057B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.255480144.00000000057B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000013.00000002.273459332.0000000003EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000013.00000002.273459332.0000000003EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000013.00000002.270080502.0000000002970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000013.00000002.270080502.0000000002970000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000013.00000002.269469613.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000013.00000002.269469613.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000002.278607358.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000015.00000002.278607358.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000002.278916305.0000000001444000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000015.00000002.278916305.0000000001444000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.216025049.0000000001890000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.216025049.0000000001890000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000013.00000002.269644528.0000000000966000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000013.00000002.269644528.0000000000966000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000D.00000002.250138622.00000000024A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000D.00000002.250138622.00000000024A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.254375322.00000000013D8000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.254375322.00000000013D8000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.255256887.000000000365E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.243043280.0000000002970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.243043280.0000000002970000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.255432280.0000000005760000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.255432280.0000000005760000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000013.00000002.273427338.0000000002ECE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.239365689.00000000024E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.239365689.00000000024E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000013.00000002.270811037.0000000002AD2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000013.00000002.270811037.0000000002AD2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000002.279548840.0000000005472000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000015.00000002.279548840.0000000005472000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.255293475.0000000004651000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.255293475.0000000004651000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000002.279433728.00000000032DE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 6532, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 6532, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Package_details.exe PID: 4156, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Package_details.exe PID: 5804, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Package_details.exe PID: 5804, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 4604, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 4604, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 5712, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 5712, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Package_details.exe PID: 2140, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Package_details.exe PID: 2140, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 4112, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 4112, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Package_details.exe PID: 6304, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Package_details.exe PID: 6304, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.dhcpmon.exe.5760000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.dhcpmon.exe.5760000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.2.Package_details.exe.2970000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.Package_details.exe.2970000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 14.2.Package_details.exe.1110000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.2.Package_details.exe.1110000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.Package_details.exe.24e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.Package_details.exe.24e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 18.2.dhcpmon.exe.ba0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 18.2.dhcpmon.exe.ba0000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.dhcpmon.exe.2970000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.dhcpmon.exe.2970000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.2.dhcpmon.exe.5470000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 21.2.dhcpmon.exe.5470000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.2.Package_details.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.Package_details.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.Package_details.exe.1890000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Package_details.exe.1890000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 21.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.2.dhcpmon.exe.2f10000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 21.2.dhcpmon.exe.2f10000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 18.2.dhcpmon.exe.ba0000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 18.2.dhcpmon.exe.ba0000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.2.Package_details.exe.2970000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.Package_details.exe.2970000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.dhcpmon.exe.5760000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.dhcpmon.exe.5760000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.2.Package_details.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.Package_details.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.dhcpmon.exe.2970000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.dhcpmon.exe.2970000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.Package_details.exe.1890000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Package_details.exe.1890000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 14.2.Package_details.exe.1110000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 14.2.Package_details.exe.1110000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.Package_details.exe.24e0000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.Package_details.exe.24e0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.dhcpmon.exe.57b0000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.dhcpmon.exe.57b0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 21.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.2.dhcpmon.exe.2f10000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 21.2.dhcpmon.exe.2f10000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.2.Package_details.exe.2ad0000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.Package_details.exe.2ad0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00DA60B8
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00D9F8B5
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00D9A800
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00DA6828
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00DAB16E
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00DADCF9
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00DA6456
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00DABC10
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00DA6C10
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00DA5C23
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00DAB6BF
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00DACFC1
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 9_2_00DA60B8
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 9_2_00D9F8B5
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 9_2_00D9A800
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 9_2_00DA6828
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 9_2_00DAB16E
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 9_2_00DADCF9
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 9_2_00DA6456
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 9_2_00DABC10
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 9_2_00DA6C10
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 9_2_00DA5C23
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 9_2_00DAB6BF
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 9_2_00DACFC1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00316828
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0030A800
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0030F8B5
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_003160B8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0031B16E
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00315C23
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0031BC10
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00316C10
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00316456
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0031DCF9
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0031B6BF
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0031CFC1
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 11_2_00DA60B8
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 11_2_00D9F8B5
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 11_2_00D9A800
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 11_2_00DA6828
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 11_2_00DAB16E
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 11_2_00DADCF9
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 11_2_00DA6456
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 11_2_00DABC10
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 11_2_00DA6C10
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 11_2_00DA5C23
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 11_2_00DAB6BF
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 11_2_00DACFC1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_00316828
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0030A800
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0030F8B5
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_003160B8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0031B16E
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_00315C23
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0031BC10
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_00316C10
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_00316456
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0031DCF9
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0031B6BF
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0031CFC1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0040A2A5
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_03152EE2
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_058223A0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_05822FA8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_05823850
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0582306F
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00316828
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0030A800
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0030F8B5
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_003160B8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00325968
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0031B16E
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00315C23
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0031BC10
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00316C10
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00316456
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0031DCF9
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0031B6BF
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0031CFC1
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 14_2_00DA60B8
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 14_2_00D9F8B5
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 14_2_00D9A800
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 14_2_00DA6828
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 14_2_00DAB16E
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 14_2_00DADCF9
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 14_2_00DA6456
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 14_2_00DABC10
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 14_2_00DA6C10
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 14_2_00DA5C23
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 14_2_00DAB6BF
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 14_2_00DACFC1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_00316828
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0030A800
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0030F8B5
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_003160B8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0031B16E
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_00315C23
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0031BC10
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_00316C10
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_00316456
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0031DCF9
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0031B6BF
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0031CFC1
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 19_2_0040A2A5
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 19_2_02B423A0
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 19_2_02B42FA8
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 19_2_02B43850
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 19_2_02B4306F
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_0040A2A5
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_02F02DC7
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_02F623A0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_02F62FA8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_02F63850
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_02F6306F
      Source: C:\Users\user\Desktop\Package_details.exeCode function: String function: 00D972E0 appears 78 times
      Source: C:\Users\user\Desktop\Package_details.exeCode function: String function: 00DA0C72 appears 56 times
      Source: C:\Users\user\Desktop\Package_details.exeCode function: String function: 00D9BED0 appears 44 times
      Source: C:\Users\user\Desktop\Package_details.exeCode function: String function: 00DA10D9 appears 80 times
      Source: C:\Users\user\Desktop\Package_details.exeCode function: String function: 00D9C147 appears 44 times
      Source: C:\Users\user\Desktop\Package_details.exeCode function: String function: 00D9C660 appears 36 times
      Source: C:\Users\user\Desktop\Package_details.exeCode function: String function: 00DA1840 appears 152 times
      Source: C:\Users\user\Desktop\Package_details.exeCode function: String function: 00D995BA appears 60 times
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 0030C147 appears 44 times
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 0030C660 appears 36 times
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 003110D9 appears 80 times
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 003095BA appears 59 times
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 00311840 appears 156 times
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 003072E0 appears 78 times
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 00310C72 appears 56 times
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 00401ED0 appears 44 times
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 0040569E appears 36 times
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 0030BED0 appears 44 times
      Source: Package_details.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Package_details.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Package_details.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: sysfonts.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: sysfonts.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: sysfonts.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: dhcpmon.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: dhcpmon.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: dhcpmon.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Package_details.exe, 00000000.00000003.212701368.0000000003476000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Package_details.exe
      Source: Package_details.exe, 00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs Package_details.exe
      Source: Package_details.exe, 00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs Package_details.exe
      Source: Package_details.exe, 00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs Package_details.exe
      Source: Package_details.exe, 00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs Package_details.exe
      Source: Package_details.exe, 00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs Package_details.exe
      Source: Package_details.exe, 00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs Package_details.exe
      Source: Package_details.exe, 00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs Package_details.exe
      Source: Package_details.exe, 00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs Package_details.exe
      Source: Package_details.exe, 00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs Package_details.exe
      Source: Package_details.exe, 00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Package_details.exe
      Source: Package_details.exe, 00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs Package_details.exe
      Source: Package_details.exe, 00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Package_details.exe
      Source: Package_details.exe, 00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Package_details.exe
      Source: Package_details.exe, 00000009.00000003.236429993.0000000002A6F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Package_details.exe
      Source: Package_details.exe, 0000000E.00000003.253204804.0000000003146000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Package_details.exe
      Source: Package_details.exe, 00000013.00000002.273459332.0000000003EC1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Package_details.exe
      Source: Package_details.exe, 00000013.00000002.273459332.0000000003EC1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Package_details.exe
      Source: Package_details.exe, 00000013.00000002.273459332.0000000003EC1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Package_details.exe
      Source: Package_details.exe, 00000013.00000002.273769173.00000000050F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Package_details.exe
      Source: 0000000C.00000002.254234385.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.254234385.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.254234385.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000002.279047270.0000000002F10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000015.00000002.279047270.0000000002F10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000015.00000002.279047270.0000000002F10000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000012.00000002.265645463.0000000000BA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000012.00000002.265645463.0000000000BA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000012.00000002.265645463.0000000000BA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000E.00000002.256685765.0000000001110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000E.00000002.256685765.0000000001110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000E.00000002.256685765.0000000001110000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000002.279458357.00000000042D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000015.00000002.279458357.00000000042D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.255480144.00000000057B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.255480144.00000000057B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000013.00000002.273459332.0000000003EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000013.00000002.273459332.0000000003EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000013.00000002.270080502.0000000002970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000013.00000002.270080502.0000000002970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000013.00000002.270080502.0000000002970000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000013.00000002.269469613.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000013.00000002.269469613.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000013.00000002.269469613.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000002.278607358.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000015.00000002.278607358.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000015.00000002.278607358.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000002.278916305.0000000001444000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000015.00000002.278916305.0000000001444000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.216025049.0000000001890000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.216025049.0000000001890000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.216025049.0000000001890000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000013.00000002.269644528.0000000000966000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000013.00000002.269644528.0000000000966000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000D.00000002.250138622.00000000024A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000D.00000002.250138622.00000000024A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000D.00000002.250138622.00000000024A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.254375322.00000000013D8000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.254375322.00000000013D8000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.255256887.000000000365E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.243043280.0000000002970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.243043280.0000000002970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.243043280.0000000002970000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.255432280.0000000005760000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.255432280.0000000005760000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.255432280.0000000005760000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000013.00000002.273427338.0000000002ECE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.239365689.00000000024E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.239365689.00000000024E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000009.00000002.239365689.00000000024E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000013.00000002.270811037.0000000002AD2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000013.00000002.270811037.0000000002AD2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000002.279548840.0000000005472000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000015.00000002.279548840.0000000005472000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.255293475.0000000004651000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.255293475.0000000004651000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000002.279433728.00000000032DE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 6532, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 6532, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Package_details.exe PID: 4156, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Package_details.exe PID: 5804, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Package_details.exe PID: 5804, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 4604, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 4604, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 5712, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 5712, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Package_details.exe PID: 2140, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Package_details.exe PID: 2140, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 4112, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 4112, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Package_details.exe PID: 6304, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Package_details.exe PID: 6304, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.dhcpmon.exe.5760000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.dhcpmon.exe.5760000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.dhcpmon.exe.5760000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.2.Package_details.exe.2970000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.Package_details.exe.2970000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 19.2.Package_details.exe.2970000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 14.2.Package_details.exe.1110000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 14.2.Package_details.exe.1110000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 14.2.Package_details.exe.1110000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.Package_details.exe.24e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.Package_details.exe.24e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 9.2.Package_details.exe.24e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 18.2.dhcpmon.exe.ba0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 18.2.dhcpmon.exe.ba0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 18.2.dhcpmon.exe.ba0000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.dhcpmon.exe.2970000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.dhcpmon.exe.2970000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.dhcpmon.exe.2970000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.2.dhcpmon.exe.5470000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 21.2.dhcpmon.exe.5470000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 21.2.dhcpmon.exe.5470000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.2.Package_details.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.Package_details.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 19.2.Package_details.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.Package_details.exe.1890000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Package_details.exe.1890000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Package_details.exe.1890000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 21.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 21.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.2.dhcpmon.exe.2f10000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 21.2.dhcpmon.exe.2f10000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 21.2.dhcpmon.exe.2f10000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 18.2.dhcpmon.exe.ba0000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 18.2.dhcpmon.exe.ba0000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 18.2.dhcpmon.exe.ba0000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.2.Package_details.exe.2970000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.Package_details.exe.2970000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 19.2.Package_details.exe.2970000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.dhcpmon.exe.5760000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.dhcpmon.exe.5760000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.dhcpmon.exe.5760000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.2.Package_details.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.Package_details.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 19.2.Package_details.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.dhcpmon.exe.2970000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.dhcpmon.exe.2970000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.dhcpmon.exe.2970000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.Package_details.exe.1890000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Package_details.exe.1890000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Package_details.exe.1890000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 14.2.Package_details.exe.1110000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 14.2.Package_details.exe.1110000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 14.2.Package_details.exe.1110000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.Package_details.exe.24e0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.Package_details.exe.24e0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 9.2.Package_details.exe.24e0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.dhcpmon.exe.57b0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.dhcpmon.exe.57b0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.dhcpmon.exe.57b0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 21.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 21.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.2.dhcpmon.exe.2f10000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 21.2.dhcpmon.exe.2f10000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 21.2.dhcpmon.exe.2f10000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.2.Package_details.exe.2ad0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.Package_details.exe.2ad0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 19.2.Package_details.exe.2ad0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.dhcpmon.exe.57b0000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 12.2.dhcpmon.exe.57b0000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 12.2.dhcpmon.exe.57b0000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 19.2.Package_details.exe.2ad0000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 19.2.Package_details.exe.2ad0000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 19.2.Package_details.exe.2ad0000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 21.2.dhcpmon.exe.5470000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 21.2.dhcpmon.exe.5470000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 21.2.dhcpmon.exe.5470000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 21.2.dhcpmon.exe.5470000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 21.2.dhcpmon.exe.5470000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 12.2.dhcpmon.exe.57b0000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 12.2.dhcpmon.exe.57b0000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 19.2.Package_details.exe.2ad0000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 19.2.Package_details.exe.2ad0000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: classification engineClassification label: mal100.troj.evad.winEXE@31/13@0/1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,
      Source: C:\Users\user\Desktop\Package_details.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: C:\Users\user\Desktop\Package_details.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1560:120:WilError_01
      Source: C:\Users\user\Desktop\Package_details.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Users\user\Desktop\Package_details.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{8127ccf6-0246-44cc-81bf-cfc57c0704b0}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5548:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2296:120:WilError_01
      Source: C:\Users\user\Desktop\Package_details.exeFile created: C:\Users\user\AppData\Local\Temp\AppDataJump to behavior
      Source: C:\Users\user\Desktop\Package_details.exeCommand line argument: User
      Source: C:\Users\user\Desktop\Package_details.exeCommand line argument: 32.d
      Source: C:\Users\user\Desktop\Package_details.exeCommand line argument: Rpcr
      Source: C:\Users\user\Desktop\Package_details.exeCommand line argument: t4.d
      Source: C:\Users\user\Desktop\Package_details.exeCommand line argument: cls
      Source: C:\Users\user\Desktop\Package_details.exeCommand line argument: 5.Exit
      Source: C:\Users\user\Desktop\Package_details.exeCommand line argument: 3.Show
      Source: C:\Users\user\Desktop\Package_details.exeCommand line argument: 1.Install
      Source: C:\Users\user\Desktop\Package_details.exeCommand line argument: User
      Source: C:\Users\user\Desktop\Package_details.exeCommand line argument: 32.d
      Source: C:\Users\user\Desktop\Package_details.exeCommand line argument: Rpcr
      Source: C:\Users\user\Desktop\Package_details.exeCommand line argument: t4.d
      Source: C:\Users\user\Desktop\Package_details.exeCommand line argument: cls
      Source: C:\Users\user\Desktop\Package_details.exeCommand line argument: 5.Exit
      Source: C:\Users\user\Desktop\Package_details.exeCommand line argument: 3.Show
      Source: C:\Users\user\Desktop\Package_details.exeCommand line argument: 1.Install
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCommand line argument: User
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCommand line argument: 32.d
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCommand line argument: Rpcr
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCommand line argument: t4.d
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCommand line argument: cls
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCommand line argument: 5.Exit
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCommand line argument: 3.Show
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCommand line argument: 1.Install
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCommand line argument: User
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCommand line argument: 32.d
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCommand line argument: Rpcr
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCommand line argument: t4.d
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCommand line argument: cls
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCommand line argument: 5.Exit
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCommand line argument: 3.Show
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCommand line argument: 1.Install
      Source: C:\Users\user\Desktop\Package_details.exeCommand line argument: User
      Source: C:\Users\user\Desktop\Package_details.exeCommand line argument: 32.d
      Source: C:\Users\user\Desktop\Package_details.exeCommand line argument: Rpcr
      Source: C:\Users\user\Desktop\Package_details.exeCommand line argument: t4.d
      Source: C:\Users\user\Desktop\Package_details.exeCommand line argument: cls
      Source: C:\Users\user\Desktop\Package_details.exeCommand line argument: 5.Exit
      Source: C:\Users\user\Desktop\Package_details.exeCommand line argument: 3.Show
      Source: C:\Users\user\Desktop\Package_details.exeCommand line argument: 1.Install
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCommand line argument: User
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCommand line argument: 32.d
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCommand line argument: Rpcr
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCommand line argument: t4.d
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCommand line argument: cls
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCommand line argument: 5.Exit
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCommand line argument: 3.Show
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCommand line argument: 1.Install
      Source: Package_details.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Package_details.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\Package_details.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\Desktop\Package_details.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\Package_details.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\Package_details.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: Package_details.exeReversingLabs: Detection: 25%
      Source: Package_details.exeString found in binary or memory: </UserId><LogonType>InteractiveToken</LogonType><RunLevel>LeastPrivilege</RunLevel></Principal></Principals><Settings><MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy><AllowHardTerminate>false</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><IdleSettings><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>PT0S</ExecutionTimeLimit><Priority>7</Priority></Settings><Actions Context="Author"><Exec><Command>
      Source: Package_details.exeString found in binary or memory: </UserId><LogonType>InteractiveToken</LogonType><RunLevel>LeastPrivilege</RunLevel></Principal></Principals><Settings><MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy><AllowHardTerminate>false</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><IdleSettings><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>PT0S</ExecutionTimeLimit><Priority>7</Priority></Settings><Actions Context="Author"><Exec><Command>
      Source: Package_details.exeString found in binary or memory: </UserId><LogonType>InteractiveToken</LogonType><RunLevel>LeastPrivilege</RunLevel></Principal></Principals><Settings><MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy><AllowHardTerminate>false</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><IdleSettings><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>PT0S</ExecutionTimeLimit><Priority>7</Priority></Settings><Actions Context="Author"><Exec><Command>
      Source: Package_details.exeString found in binary or memory: </UserId><LogonType>InteractiveToken</LogonType><RunLevel>LeastPrivilege</RunLevel></Principal></Principals><Settings><MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy><AllowHardTerminate>false</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><IdleSettings><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>PT0S</ExecutionTimeLimit><Priority>7</Priority></Settings><Actions Context="Author"><Exec><Command>
      Source: dhcpmon.exeString found in binary or memory: </UserId><LogonType>InteractiveToken</LogonType><RunLevel>LeastPrivilege</RunLevel></Principal></Principals><Settings><MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy><AllowHardTerminate>false</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><IdleSettings><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>PT0S</ExecutionTimeLimit><Priority>7</Priority></Settings><Actions Context="Author"><Exec><Command>
      Source: dhcpmon.exeString found in binary or memory: </UserId><LogonType>InteractiveToken</LogonType><RunLevel>LeastPrivilege</RunLevel></Principal></Principals><Settings><MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy><AllowHardTerminate>false</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><IdleSettings><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>PT0S</ExecutionTimeLimit><Priority>7</Priority></Settings><Actions Context="Author"><Exec><Command>
      Source: dhcpmon.exeString found in binary or memory: </UserId><LogonType>InteractiveToken</LogonType><RunLevel>LeastPrivilege</RunLevel></Principal></Principals><Settings><MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy><AllowHardTerminate>false</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><IdleSettings><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>PT0S</ExecutionTimeLimit><Priority>7</Priority></Settings><Actions Context="Author"><Exec><Command>
      Source: dhcpmon.exeString found in binary or memory: </UserId><LogonType>InteractiveToken</LogonType><RunLevel>LeastPrivilege</RunLevel></Principal></Principals><Settings><MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy><AllowHardTerminate>false</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><IdleSettings><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>PT0S</ExecutionTimeLimit><Priority>7</Priority></Settings><Actions Context="Author"><Exec><Command>
      Source: Package_details.exeString found in binary or memory: </UserId><LogonType>InteractiveToken</LogonType><RunLevel>LeastPrivilege</RunLevel></Principal></Principals><Settings><MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy><AllowHardTerminate>false</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><IdleSettings><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>PT0S</ExecutionTimeLimit><Priority>7</Priority></Settings><Actions Context="Author"><Exec><Command>
      Source: Package_details.exeString found in binary or memory: </UserId><LogonType>InteractiveToken</LogonType><RunLevel>LeastPrivilege</RunLevel></Principal></Principals><Settings><MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy><AllowHardTerminate>false</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><IdleSettings><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>PT0S</ExecutionTimeLimit><Priority>7</Priority></Settings><Actions Context="Author"><Exec><Command>
      Source: dhcpmon.exeString found in binary or memory: </UserId><LogonType>InteractiveToken</LogonType><RunLevel>LeastPrivilege</RunLevel></Principal></Principals><Settings><MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy><AllowHardTerminate>false</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><IdleSettings><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>PT0S</ExecutionTimeLimit><Priority>7</Priority></Settings><Actions Context="Author"><Exec><Command>
      Source: dhcpmon.exeString found in binary or memory: </UserId><LogonType>InteractiveToken</LogonType><RunLevel>LeastPrivilege</RunLevel></Principal></Principals><Settings><MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy><AllowHardTerminate>false</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><IdleSettings><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>PT0S</ExecutionTimeLimit><Priority>7</Priority></Settings><Actions Context="Author"><Exec><Command>
      Source: C:\Users\user\Desktop\Package_details.exeFile read: C:\Users\user\Desktop\Package_details.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Package_details.exe 'C:\Users\user\Desktop\Package_details.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /Create /TN fonts /XML 'C:\Users\user\AppData\Local\Temp\3b53dd4f8dbc40fcb4ebf67bcf9e21d3.xml'
      Source: unknownProcess created: C:\Users\user\Desktop\Package_details.exe C:\Users\user\Desktop\Package_details.exe
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /TN fonts /XML 'C:\Users\user\AppData\Local\Temp\3b53dd4f8dbc40fcb4ebf67bcf9e21d3.xml'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp30A7.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp33C5.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\Package_details.exe C:\Users\user\Desktop\Package_details.exe 0
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
      Source: unknownProcess created: C:\Users\user\Desktop\Package_details.exe C:\Users\user\Desktop\Package_details.exe
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\Package_details.exe C:\Users\user\Desktop\Package_details.exe
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: unknownProcess created: C:\Users\user\Desktop\Package_details.exe C:\Users\user\Desktop\Package_details.exe
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Users\user\Desktop\Package_details.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /Create /TN fonts /XML 'C:\Users\user\AppData\Local\Temp\3b53dd4f8dbc40fcb4ebf67bcf9e21d3.xml'
      Source: C:\Users\user\Desktop\Package_details.exeProcess created: C:\Users\user\Desktop\Package_details.exe C:\Users\user\Desktop\Package_details.exe
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /TN fonts /XML 'C:\Users\user\AppData\Local\Temp\3b53dd4f8dbc40fcb4ebf67bcf9e21d3.xml'
      Source: C:\Users\user\Desktop\Package_details.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp30A7.tmp'
      Source: C:\Users\user\Desktop\Package_details.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp33C5.tmp'
      Source: C:\Users\user\Desktop\Package_details.exeProcess created: C:\Users\user\Desktop\Package_details.exe C:\Users\user\Desktop\Package_details.exe
      Source: C:\Users\user\Desktop\Package_details.exeProcess created: C:\Users\user\Desktop\Package_details.exe C:\Users\user\Desktop\Package_details.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Users\user\Desktop\Package_details.exeProcess created: C:\Users\user\Desktop\Package_details.exe C:\Users\user\Desktop\Package_details.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Users\user\Desktop\Package_details.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
      Source: C:\Users\user\Desktop\Package_details.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
      Source: C:\Users\user\Desktop\Package_details.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
      Source: Package_details.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: wntdll.pdbUGP source: Package_details.exe, 00000000.00000003.211610804.0000000003360000.00000004.00000001.sdmp, Package_details.exe, 00000009.00000003.236110385.0000000002950000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000003.240365481.0000000002CE0000.00000004.00000001.sdmp, dhcpmon.exe, 0000000D.00000003.247549531.0000000002800000.00000004.00000001.sdmp, Package_details.exe, 0000000E.00000003.249944168.00000000031C0000.00000004.00000001.sdmp, dhcpmon.exe, 00000012.00000003.262905644.0000000002C40000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: Package_details.exe, 00000000.00000003.211610804.0000000003360000.00000004.00000001.sdmp, Package_details.exe, 00000009.00000003.236110385.0000000002950000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000003.240365481.0000000002CE0000.00000004.00000001.sdmp, dhcpmon.exe, 0000000D.00000003.247549531.0000000002800000.00000004.00000001.sdmp, Package_details.exe, 0000000E.00000003.249944168.00000000031C0000.00000004.00000001.sdmp, dhcpmon.exe, 00000012.00000003.262905644.0000000002C40000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Package_details.exe, 00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: Package_details.exe, 00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: Package_details.exe, 00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Package_details.exe, 00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: Package_details.exe, 00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmp

      Data Obfuscation:

      barindex
      Detected unpacking (creates a PE file in dynamic memory)Show sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 21.2.dhcpmon.exe.5470000.3.unpack
      .NET source code contains potential unpackerShow sources
      Source: 12.2.dhcpmon.exe.57b0000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 12.2.dhcpmon.exe.57b0000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 19.2.Package_details.exe.2ad0000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 19.2.Package_details.exe.2ad0000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 21.2.dhcpmon.exe.5470000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 21.2.dhcpmon.exe.5470000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00DA9B4F LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00DA1885 push ecx; ret
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00DB64B9 push eax; ret
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00DB6538 push eax; ret
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00D9BF6F push ecx; ret
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 9_2_00DA1885 push ecx; ret
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 9_2_00DB64B9 push eax; ret
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 9_2_00DB6538 push eax; ret
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 9_2_00D9BF6F push ecx; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00311885 push ecx; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_003264B9 push eax; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00326538 push eax; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0030BF6F push ecx; ret
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 11_2_00DA1885 push ecx; ret
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 11_2_00D9BF6F push ecx; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_00311885 push ecx; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0030BF6F push ecx; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_00401F16 push ecx; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00311885 push ecx; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_003264B9 push eax; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00326538 push eax; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0030BF6F push ecx; ret
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 14_2_00DA1885 push ecx; ret
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 14_2_00DB64B9 push eax; ret
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 14_2_00DB6538 push eax; ret
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 14_2_00D9BF6F push ecx; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_00311885 push ecx; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_003264B9 push eax; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_00326538 push eax; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0030BF6F push ecx; ret
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 19_2_00401F16 push ecx; ret
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_00401F16 push ecx; ret
      Source: 12.2.dhcpmon.exe.57b0000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 12.2.dhcpmon.exe.57b0000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 19.2.Package_details.exe.2ad0000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 19.2.Package_details.exe.2ad0000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 21.2.dhcpmon.exe.5470000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 21.2.dhcpmon.exe.5470000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: C:\Users\user\Desktop\Package_details.exeFile created: C:\Users\user\AppData\Local\Temp\AppData\sysfonts.exeJump to dropped file
      Source: C:\Users\user\Desktop\Package_details.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /TN fonts /XML 'C:\Users\user\AppData\Local\Temp\3b53dd4f8dbc40fcb4ebf67bcf9e21d3.xml'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\Package_details.exeFile opened: C:\Users\user\Desktop\Package_details.exe:Zone.Identifier read attributes | delete
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Package_details.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\Package_details.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\Package_details.exeWindow / User API: threadDelayed 355
      Source: C:\Users\user\Desktop\Package_details.exeWindow / User API: threadDelayed 1143
      Source: C:\Users\user\Desktop\Package_details.exeWindow / User API: foregroundWindowGot 649
      Source: C:\Users\user\Desktop\Package_details.exeWindow / User API: foregroundWindowGot 654
      Source: C:\Users\user\Desktop\Package_details.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AppData\sysfonts.exeJump to dropped file
      Source: C:\Users\user\Desktop\Package_details.exe TID: 2024Thread sleep time: -1844674407370954s >= -30000s
      Source: C:\Users\user\Desktop\Package_details.exe TID: 160Thread sleep time: -120000s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4456Thread sleep count: 43 > 30
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4944Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\Package_details.exe TID: 6376Thread sleep count: 41 > 30
      Source: C:\Users\user\Desktop\Package_details.exe TID: 6372Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6584Thread sleep count: 38 > 30
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6568Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_00404A29 FindFirstFileExW,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 19_2_00404A29 FindFirstFileExW,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_00404A29 FindFirstFileExW,
      Source: Package_details.exe, 00000002.00000003.222172752.0000000001653000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
      Source: Package_details.exe, 00000002.00000003.224689217.0000000001653000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Users\user\Desktop\Package_details.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00D9F195 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00DA9B4F LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00D91FA0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00DB7A4E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00DBB3CD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00DBB46D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00DBB40A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 9_2_00D91FA0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 9_2_00DB7A4E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 9_2_00DBB3CD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 9_2_00DBB46D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 9_2_00DBB40A mov eax, dword ptr fs:[00000030h]
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00301FA0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00327A4E mov eax, dword ptr fs:[00000030h]
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0032B3CD mov eax, dword ptr fs:[00000030h]
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0032B40A mov eax, dword ptr fs:[00000030h]
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0032B46D mov eax, dword ptr fs:[00000030h]
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_004035F1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00301FA0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00327A4E mov eax, dword ptr fs:[00000030h]
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0032B3CD mov eax, dword ptr fs:[00000030h]
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0032B40A mov eax, dword ptr fs:[00000030h]
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0032B46D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 14_2_00D91FA0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 14_2_00DB7A4E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 14_2_00DBB3CD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 14_2_00DBB46D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 14_2_00DBB40A mov eax, dword ptr fs:[00000030h]
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_00301FA0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_00327A4E mov eax, dword ptr fs:[00000030h]
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0032B3CD mov eax, dword ptr fs:[00000030h]
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0032B40A mov eax, dword ptr fs:[00000030h]
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0032B46D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 19_2_004035F1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_004035F1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_004067FE GetProcessHeap,
      Source: C:\Users\user\Desktop\Package_details.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00D9F195 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00DA1C7F SetUnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00D9BEC1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 9_2_00D9F195 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 9_2_00DA1C7F SetUnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 9_2_00D9BEC1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0030F195 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00311C7F SetUnhandledExceptionFilter,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0030BEC1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 11_2_00D9F195 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 11_2_00DA1C7F SetUnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 11_2_00D9BEC1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0030F195 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_00311C7F SetUnhandledExceptionFilter,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0030BEC1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_00401E1D SetUnhandledExceptionFilter,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0030F195 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00311C7F SetUnhandledExceptionFilter,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0030BEC1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 14_2_00D9F195 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 14_2_00DA1C7F SetUnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 14_2_00D9BEC1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0030F195 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_00311C7F SetUnhandledExceptionFilter,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_0030BEC1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 19_2_00401E1D SetUnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 19_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 19_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 19_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_00401E1D SetUnhandledExceptionFilter,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\Desktop\Package_details.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\Package_details.exeSection loaded: unknown target: C:\Users\user\Desktop\Package_details.exe protection: execute and read and write
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: unknown target: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\Package_details.exeSection loaded: unknown target: C:\Users\user\Desktop\Package_details.exe protection: execute and read and write
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: unknown target: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\Package_details.exeProcess created: C:\Users\user\Desktop\Package_details.exe C:\Users\user\Desktop\Package_details.exe
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /TN fonts /XML 'C:\Users\user\AppData\Local\Temp\3b53dd4f8dbc40fcb4ebf67bcf9e21d3.xml'
      Source: C:\Users\user\Desktop\Package_details.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp30A7.tmp'
      Source: C:\Users\user\Desktop\Package_details.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp33C5.tmp'
      Source: C:\Users\user\Desktop\Package_details.exeProcess created: C:\Users\user\Desktop\Package_details.exe C:\Users\user\Desktop\Package_details.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Users\user\Desktop\Package_details.exeProcess created: C:\Users\user\Desktop\Package_details.exe C:\Users\user\Desktop\Package_details.exe
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: Package_details.exe, 00000002.00000003.301899364.000000000161F000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0040208D cpuid
      Source: C:\Users\user\Desktop\Package_details.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: GetLocaleInfoA,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: GetLocaleInfoA,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: GetLocaleInfoA,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: GetLocaleInfoA,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: GetLocaleInfoA,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: GetLocaleInfoA,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: GetLocaleInfoA,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: GetLocaleInfoA,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00DA239A GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
      Source: C:\Users\user\Desktop\Package_details.exeCode function: 0_2_00DB8CC9 GetUserNameA,CreateFileW,WriteFile,FindCloseChangeNotification,VirtualAlloc,CreateProcessW,
      Source: C:\Users\user\Desktop\Package_details.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
      Source: C:\Users\user\Desktop\Package_details.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\Package_details.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\Package_details.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 0000000C.00000002.254234385.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.279047270.0000000002F10000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.265645463.0000000000BA0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.256685765.0000000001110000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.279458357.00000000042D1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.255480144.00000000057B2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.273459332.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.270080502.0000000002970000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.269469613.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.278607358.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.278916305.0000000001444000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.216025049.0000000001890000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.269644528.0000000000966000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.250138622.00000000024A0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.254375322.00000000013D8000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.243043280.0000000002970000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.255432280.0000000005760000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.239365689.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.270811037.0000000002AD2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.279548840.0000000005472000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.255293475.0000000004651000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6532, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Package_details.exe PID: 5804, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4604, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5712, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Package_details.exe PID: 2140, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4112, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Package_details.exe PID: 6304, type: MEMORY
      Source: Yara matchFile source: 12.2.dhcpmon.exe.5760000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.Package_details.exe.2970000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Package_details.exe.1110000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.Package_details.exe.24e0000.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.dhcpmon.exe.ba0000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.dhcpmon.exe.2970000.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.dhcpmon.exe.5470000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.Package_details.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Package_details.exe.1890000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.dhcpmon.exe.2f10000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.dhcpmon.exe.ba0000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.Package_details.exe.2970000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.5760000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.Package_details.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.dhcpmon.exe.2970000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Package_details.exe.1890000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Package_details.exe.1110000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.Package_details.exe.24e0000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.57b0000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.dhcpmon.exe.2f10000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.Package_details.exe.2ad0000.3.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: Package_details.exe, 00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: Package_details.exe, 00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: Package_details.exe, 00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: Package_details.exe, 00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: Package_details.exe, 00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: Package_details.exe, 00000009.00000002.239365689.00000000024E0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 0000000A.00000002.243043280.0000000002970000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 0000000C.00000002.255256887.000000000365E000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: dhcpmon.exe, 0000000D.00000002.250138622.00000000024A0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: Package_details.exe, 0000000E.00000002.256685765.0000000001110000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: Package_details.exeString found in binary or memory: NanoCore.ClientPluginHost
      Source: Package_details.exe, 00000013.00000002.273459332.0000000003EC1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 00000015.00000002.279458357.00000000042D1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 0000000C.00000002.254234385.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.279047270.0000000002F10000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.265645463.0000000000BA0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.256685765.0000000001110000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.279458357.00000000042D1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.255480144.00000000057B2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.273459332.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.270080502.0000000002970000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.269469613.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.278607358.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.278916305.0000000001444000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.216025049.0000000001890000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.269644528.0000000000966000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.250138622.00000000024A0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.254375322.00000000013D8000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.243043280.0000000002970000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.255432280.0000000005760000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.239365689.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.270811037.0000000002AD2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.279548840.0000000005472000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.255293475.0000000004651000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6532, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Package_details.exe PID: 5804, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4604, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5712, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Package_details.exe PID: 2140, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4112, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Package_details.exe PID: 6304, type: MEMORY
      Source: Yara matchFile source: 12.2.dhcpmon.exe.5760000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.Package_details.exe.2970000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Package_details.exe.1110000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.Package_details.exe.24e0000.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.dhcpmon.exe.ba0000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.dhcpmon.exe.2970000.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.dhcpmon.exe.5470000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.Package_details.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Package_details.exe.1890000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.dhcpmon.exe.2f10000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.dhcpmon.exe.ba0000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.Package_details.exe.2970000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.5760000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.Package_details.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.dhcpmon.exe.2970000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Package_details.exe.1890000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 14.2.Package_details.exe.1110000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.Package_details.exe.24e0000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.dhcpmon.exe.57b0000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.dhcpmon.exe.2f10000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.Package_details.exe.2ad0000.3.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection112Disable or Modify Tools1Input Capture21System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsNative API1Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information11LSASS MemoryAccount Discovery1Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsCommand and Scripting Interpreter3Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsScheduled Task/Job1Logon Script (Mac)Logon Script (Mac)Software Packing21NTDSSystem Information Discovery23Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsSecurity Software Discovery131SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion2Cached Domain CredentialsVirtualization/Sandbox Evasion2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 321402 Sample: Package_details.exe Startdate: 21/11/2020 Architecture: WINDOWS Score: 100 70 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Multi AV Scanner detection for dropped file 2->74 76 11 other signatures 2->76 8 Package_details.exe 3 2->8         started        12 Package_details.exe 1 2->12         started        14 dhcpmon.exe 1 2->14         started        16 dhcpmon.exe 1 2->16         started        process3 file4 62 C:\Users\user\AppData\Local\...\sysfonts.exe, PE32 8->62 dropped 64 C:\...\3b53dd4f8dbc40fcb4ebf67bcf9e21d3.xml, XML 8->64 dropped 82 Maps a DLL or memory area into another process 8->82 18 Package_details.exe 1 17 8->18         started        23 cmd.exe 1 8->23         started        25 Package_details.exe 1 12->25         started        27 Package_details.exe 12->27         started        29 dhcpmon.exe 3 14->29         started        31 dhcpmon.exe 1 16->31         started        33 dhcpmon.exe 16->33         started        signatures5 process6 dnsIp7 68 209.159.151.5, 24980, 49706 IS-AS-1US United States 18->68 52 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->52 dropped 54 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 18->54 dropped 56 C:\Users\user\AppData\Local\...\tmp30A7.tmp, XML 18->56 dropped 58 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->58 dropped 78 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->78 35 schtasks.exe 1 18->35         started        37 schtasks.exe 1 18->37         started        39 conhost.exe 23->39         started        41 schtasks.exe 1 23->41         started        80 Maps a DLL or memory area into another process 25->80 43 Package_details.exe 3 25->43         started        60 C:\Users\user\AppData\...\dhcpmon.exe.log, ASCII 29->60 dropped 46 dhcpmon.exe 2 31->46         started        file8 signatures9 process10 file11 48 conhost.exe 35->48         started        50 conhost.exe 37->50         started        66 C:\Users\user\...\Package_details.exe.log, ASCII 43->66 dropped process12

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Package_details.exe25%ReversingLabs
      Package_details.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\AppData\sysfonts.exe100%Joe Sandbox ML
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe35%VirustotalBrowse
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe25%ReversingLabs

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      0.2.Package_details.exe.3160000.4.unpack100%AviraTR/Patched.Ren.GenDownload File
      13.2.dhcpmon.exe.2420000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
      9.2.Package_details.exe.25c0000.4.unpack100%AviraTR/Patched.Ren.GenDownload File
      21.2.dhcpmon.exe.5470000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      0.2.Package_details.exe.1910000.3.unpack100%AviraTR/Patched.Ren.GenDownload File
      14.2.Package_details.exe.2fb0000.4.unpack100%AviraTR/Patched.Ren.GenDownload File
      10.2.dhcpmon.exe.df0000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
      14.2.Package_details.exe.2db0000.3.unpack100%AviraTR/Patched.Ren.GenDownload File
      19.2.Package_details.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      18.2.dhcpmon.exe.2a40000.4.unpack100%AviraTR/Patched.Ren.GenDownload File
      13.2.dhcpmon.exe.2600000.4.unpack100%AviraTR/Patched.Ren.GenDownload File
      12.2.dhcpmon.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      12.2.dhcpmon.exe.57b0000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      9.2.Package_details.exe.d10000.1.unpack100%AviraTR/Patched.Ren.GenDownload File
      10.2.dhcpmon.exe.2ae0000.4.unpack100%AviraTR/Patched.Ren.GenDownload File
      21.2.dhcpmon.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      18.2.dhcpmon.exe.1040000.3.unpack100%AviraTR/Patched.Ren.GenDownload File
      19.2.Package_details.exe.2ad0000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      209.159.151.5
      		unknownUnited States
      		19318IS-AS-1UStrue

      General Information

      Joe Sandbox Version:31.0.0 Red Diamond
      Analysis ID:321402
      Start date:21.11.2020
      Start time:15:28:10
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 11m 28s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:Package_details.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:38
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.troj.evad.winEXE@31/13@0/1
      EGA Information:Failed
      HDC Information:
      • Successful, ratio: 76.6% (good quality ratio 72.5%)
      • Quality average: 80.7%
      • Quality standard deviation: 28.7%
      HCA Information:
      • Successful, ratio: 82%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .exe
      Warnings:
      Show All
      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
      • TCP Packets have been reduced to 100
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
      • Report creation exceeded maximum time and may have missing disassembly code information.
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size exceeded maximum capacity and may have missing disassembly code.
      • Report size getting too big, too many NtQueryValueKey calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      15:29:05AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      15:29:06Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\Package_details.exe" s>$(Arg0)
      15:29:06Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
      15:29:06API Interceptor964x Sleep call for process: Package_details.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      IS-AS-1UShttps://bakrisoil.com/wp-content/cd.php?e=gjeffries@hughesellard.comGet hashmaliciousBrowse
      • 104.218.51.229
      baf6b9fcec491619b45c1dd7db56ad3d.exeGet hashmaliciousBrowse
      • 66.45.248.130
      https://encrypt.poweradz.net/Get hashmaliciousBrowse
      • 209.159.158.130
      http://encrypt.poweradz.netGet hashmaliciousBrowse
      • 209.159.158.130
      eLaaw7SqMi.exeGet hashmaliciousBrowse
      • 104.37.188.231
      p8LV1eVFyO.exeGet hashmaliciousBrowse
      • 66.45.248.130
      Invoice_334654_168522_from_Inc.xlsmGet hashmaliciousBrowse
      • 216.219.81.3
      Invoice_403372_917428_from_Inc.xlsmGet hashmaliciousBrowse
      • 216.219.81.3
      IQtvZjIdhN.exeGet hashmaliciousBrowse
      • 66.45.248.130
      Req-87086782-8575.htmGet hashmaliciousBrowse
      • 66.45.228.57
      148wWoi8vI.exeGet hashmaliciousBrowse
      • 66.45.248.130
      wZ6ARBLKPj.exeGet hashmaliciousBrowse
      • 69.10.42.234
      Attachments_240369 475265.docGet hashmaliciousBrowse
      • 216.219.81.50
      AGENT APPOINTMENT.xlsmGet hashmaliciousBrowse
      • 216.158.225.211
      isb777amx.exeGet hashmaliciousBrowse
      • 66.23.227.135
      https://venushome-my.sharepoint.com/:b:/g/personal/nsh_venushomeappliances_com/EX5FneZcfnZMndmJcDSa_toBsLtKOV-PlkwfYKs_6Hf8sA?e=I7myHOGet hashmaliciousBrowse
      • 206.72.203.52
      test9.exeGet hashmaliciousBrowse
      • 66.45.228.160
      https://firebasestorage.googleapis.com/v0/b/iouyfgjkgh.appspot.com/o/WEBMAIL.html?alt=media&token=f21ff97e-0c97-456a-9a4b-10962301f5d2#salim.mamlouk@holding-kamph.comGet hashmaliciousBrowse
      • 64.20.38.219
      https://firebasestorage.googleapis.com/v0/b/nnajnr.appspot.com/o/WEBMAIL.html?alt=media&token=de90d2b5-b8b1-4623-87f1-c5411b10395b#asegura@talgo.comGet hashmaliciousBrowse
      • 64.20.38.219
      https://firebasestorage.googleapis.com/v0/b/nnajnr.appspot.com/o/WEBMAIL.html?alt=media&token=de90d2b5-b8b1-4623-87f1-c5411b10395b#ialcalde@talgo.comGet hashmaliciousBrowse
      • 64.20.38.219

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Process:C:\Users\user\Desktop\Package_details.exe
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):508416
      Entropy (8bit):7.553173588079667
      Encrypted:false
      SSDEEP:12288:VYuE3woImTkWfHrqWWBKZ8r/VkZhRChRr+FDszyNghK:VYuE3woLdHr7WqnA37WNp
      MD5:CE3C5367FB067A45F5FA10C35CA23A28
      SHA1:9D0F4D746747A6FD13A48B1A867EB8D103D9DAEC
      SHA-256:E4FC20492ED4F4750766382F6578D84F38BF680646EB6B5193C5733925941F67
      SHA-512:AE46E93DD82128EFD0C1F8DAB094B7A51716A6BCDE6053A66EFDD8724115E7B6D4A0FAB1CAF0775482F358488EDEFE81BECDD01A2A820FBA9B338C30CB2D8A07
      Malicious:true
      Antivirus:
      • Antivirus: Joe Sandbox ML, Detection: 100%
      • Antivirus: Virustotal, Detection: 35%, Browse
      • Antivirus: ReversingLabs, Detection: 25%
      Reputation:low
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(k-.l.C.l.C.l.C..|..{.C..|..Z.C..|....C.er..c.C.l.B...C..|..m.C..|..m.C..|..m.C.Richl.C.........................PE..L......_............................h.............@.......................................@..................................<..........`.......................(....................................................................................text............................... ..`.rdata..4W.......X..................@..@.data........P...h...0..............@....rsrc...`...........................@..@.reloc...!......."...^..............@..B........................................................................................................................................................................................................................................................................................................................
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
      Process:C:\Users\user\Desktop\Package_details.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):26
      Entropy (8bit):3.95006375643621
      Encrypted:false
      SSDEEP:3:ggPYV:rPYV
      MD5:187F488E27DB4AF347237FE461A079AD
      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
      Malicious:true
      Reputation:high, very likely benign file
      Preview: [ZoneTransfer]....ZoneId=0
      C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Package_details.exe.log
      Process:C:\Users\user\Desktop\Package_details.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):525
      Entropy (8bit):5.2874233355119316
      Encrypted:false
      SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
      MD5:61CCF53571C9ABA6511D696CB0D32E45
      SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
      SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
      SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
      Malicious:true
      Reputation:moderate, very likely benign file
      Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
      C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
      Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):525
      Entropy (8bit):5.2874233355119316
      Encrypted:false
      SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
      MD5:61CCF53571C9ABA6511D696CB0D32E45
      SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
      SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
      SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
      Malicious:true
      Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
      C:\Users\user\AppData\Local\Temp\3b53dd4f8dbc40fcb4ebf67bcf9e21d3.xml
      Process:C:\Users\user\Desktop\Package_details.exe
      File Type:XML 1.0 document, ASCII text
      Category:dropped
      Size (bytes):1292
      Entropy (8bit):5.2398518553165365
      Encrypted:false
      SSDEEP:24:2do4+S8TcqdgrnIgFwvXVIrovlgU3ODOiIQRvh7hwZgvw43aVdy7Tbn:c+XBgzgXVIrovl33ODOiLdKZgfoI7/
      MD5:5363971BB4E75D190780EAE4B297A7DC
      SHA1:5A8A8BE876670C7B4502A40EBDB1A91BE55FA164
      SHA-256:4EE8F1603518DCD73AF9B0B1DC170826489587561BB8F35910A2A673AC077395
      SHA-512:7A4AE7E2590494D4B4CCD133453E160594A060AA9B4FD3E1175EDFA6D3B214E62BF3D72E9929A36A210377EF7AEBB75195165AEC57685B7B519656EF19A3996F
      Malicious:true
      Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version = "1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.<RegistrationInfo>.<Date>2015-09-27T14:27:44.8929027</Date > .<Author>549163\user</Author>.</RegistrationInfo>.<Triggers>.<LogonTrigger>.<Enabled>true</Enabled>.<UserId>549163\user</UserId>.</LogonTrigger>.<RegistrationTrigger>.<Enabled>false</Enabled>.</RegistrationTrigger>.</Triggers>.<Principals>.<Principal id="Author">.<UserId>549163\user</UserId>.<LogonType>InteractiveToken</LogonType>.<RunLevel>LeastPrivilege</RunLevel>.</Principal>.</Principals>.<Settings>.<MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.<AllowHardTerminate>false</AllowHardTerminate>.<StartWhenAvailable>true</StartWhenAvailable>.<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.<IdleSettings>.<StopOnIdleEnd>true</StopOnIdleEnd>.<RestartOnIdle>false</RestartOnIdle>.</IdleSettings>.<AllowStartOnDemand>true</AllowStartOnDemand>.<Enabled>true</Enabled>.<Hidden>fals
      C:\Users\user\AppData\Local\Temp\AppData\sysfonts.exe
      Process:C:\Users\user\Desktop\Package_details.exe
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):508426
      Entropy (8bit):7.5530920458361335
      Encrypted:false
      SSDEEP:12288:VYuE3woImTkWfHrqWWBKZ8r/VkZhRChRr+FDszyNgh:VYuE3woLdHr7WqnA37WN
      MD5:AC793C4CE42F9F1FA9158ECD6B234DDE
      SHA1:C336CDC682DF1BCE80AFEFB202E048BDA3762725
      SHA-256:51B557C38973A019AD7B894AA7A0B4ACA9696D4AD3523447CCE6181ABEB3938C
      SHA-512:90068F8729CC3D9A3A94A0BCF37843F0BFB0AEB471CE92BB5BB403F3F93D4223C962ABBA821839E53AA70E7AFB97C4FEA84C6A2A6FE7EC3A8DA56AFA6D4E021F
      Malicious:true
      Antivirus:
      • Antivirus: Joe Sandbox ML, Detection: 100%
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(k-.l.C.l.C.l.C..|..{.C..|..Z.C..|....C.er..c.C.l.B...C..|..m.C..|..m.C..|..m.C.Richl.C.........................PE..L......_............................h.............@.......................................@..................................<..........`.......................(....................................................................................text............................... ..`.rdata..4W.......X..................@..@.data........P...h...0..............@....rsrc...`...........................@..@.reloc...!......."...^..............@..B........................................................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Temp\tmp30A7.tmp
      Process:C:\Users\user\Desktop\Package_details.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):1305
      Entropy (8bit):5.0992916127163666
      Encrypted:false
      SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0fL3xtn:cbk4oL600QydbQxIYODOLedq3czj
      MD5:DE07D5279DEEC6B525C123125016B4C2
      SHA1:FA6EEC4A236E84B2506DD4280A4B24FD9124CC58
      SHA-256:A62ABE7A8B7A3D5F70CABD49CCBF12DE474E0BFBA21A0A8FC46800FCF48E0C52
      SHA-512:098CB099A869046494CDC4B9832A5C9FBE987ED53581D05767C17E5C2BD4A85177F8B7D0CBD879FE61238AD4450E7987FF0E5BF2D11FF024963F606FD78BA9C9
      Malicious:true
      Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
      C:\Users\user\AppData\Local\Temp\tmp33C5.tmp
      Process:C:\Users\user\Desktop\Package_details.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):1310
      Entropy (8bit):5.109425792877704
      Encrypted:false
      SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
      MD5:5C2F41CFC6F988C859DA7D727AC2B62A
      SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
      SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
      SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
      Malicious:false
      Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
      Process:C:\Users\user\Desktop\Package_details.exe
      File Type:data
      Category:dropped
      Size (bytes):232
      Entropy (8bit):7.089541637477408
      Encrypted:false
      SSDEEP:3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
      MD5:9E7D0351E4DF94A9B0BADCEB6A9DB963
      SHA1:76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
      SHA-256:AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
      SHA-512:93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
      Malicious:false
      Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&
      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Process:C:\Users\user\Desktop\Package_details.exe
      File Type:Non-ISO extended-ASCII text, with no line terminators
      Category:dropped
      Size (bytes):8
      Entropy (8bit):3.0
      Encrypted:false
      SSDEEP:3:An:A
      MD5:8B38108DFF8545452009901160E26753
      SHA1:73D5ED40FA083606029C1CE61B04B0B0D1961CA5
      SHA-256:E07631DD52B828F997192DB13896AC110DC113C01E16C1CE096DAD1B1745D8D4
      SHA-512:4E801BFFD3569125D1D8C2D3AA14F35D85D3103EFFE11C0E03A2299A6158EB9C85DB8C1790CD98D52AA14903B9C4082FB5869581370D239FD6921254BD072ECE
      Malicious:true
      Preview: .{=<u..H
      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
      Process:C:\Users\user\Desktop\Package_details.exe
      File Type:data
      Category:modified
      Size (bytes):40
      Entropy (8bit):5.153055907333276
      Encrypted:false
      SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
      MD5:4E5E92E2369688041CC82EF9650EDED2
      SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
      SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
      SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
      Malicious:false
      Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
      Process:C:\Users\user\Desktop\Package_details.exe
      File Type:data
      Category:dropped
      Size (bytes):426832
      Entropy (8bit):7.999527918131335
      Encrypted:true
      SSDEEP:6144:zKfHbamD8WN+JQYrjM7Ei2CsFJjyh9zvgPonV5HqZcPVT4Eb+Z6no3QSzjeMsdF/:zKf137EiDsTjevgArYcPVLoTQS+0iv
      MD5:653DDDCB6C89F6EC51F3DDC0053C5914
      SHA1:4CF7E7D42495CE01C261E4C5C4B8BF6CD76CCEE5
      SHA-256:83B9CAE66800C768887FB270728F6806CBEBDEAD9946FA730F01723847F17FF9
      SHA-512:27A467F2364C21CD1C6C34EF1CA5FFB09B4C3180FC9C025E293374EB807E4382108617BB4B97F8EBBC27581CD6E5988BB5E21276B3CB829C1C0E49A6FC9463A0
      Malicious:false
      Preview: ..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h*...J4*...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.*h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H........*...OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........*X...b*Z...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..
      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
      Process:C:\Users\user\Desktop\Package_details.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):42
      Entropy (8bit):4.26113230362812
      Encrypted:false
      SSDEEP:3:oNWXp5v1E0iIM4A:oNWXpFO0RrA
      MD5:4CACDC973783E93B39FD939846A38F73
      SHA1:8C863E75701DC2F9E1E2233672CDE785603B4E98
      SHA-256:674E347C8427347CBAC62DB1B722FE6D5C03FF9E23A9E9F6891AF918B53D61FD
      SHA-512:E2A0A113661E57571B5F0F3548F12DC51BAD04607D4A223EE9E340B5B394F8DD0D2AB3E5B105AE246CC70AF5676EDAA6A7350607973F8AF07E8F1BE6E63EBD05
      Malicious:false
      Preview: C:\Users\user\Desktop\Package_details.exe

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386, for MS Windows
      Entropy (8bit):7.553173588079667
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.96%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:Package_details.exe
      File size:508416
      MD5:ce3c5367fb067a45f5fa10c35ca23a28
      SHA1:9d0f4d746747a6fd13a48b1a867eb8d103d9daec
      SHA256:e4fc20492ed4f4750766382f6578d84f38bf680646eb6b5193c5733925941f67
      SHA512:ae46e93dd82128efd0c1f8dab094b7a51716a6bcde6053a66efdd8724115e7b6d4a0fab1caf0775482f358488edefe81becdd01a2a820fba9b338c30cb2d8a07
      SSDEEP:12288:VYuE3woImTkWfHrqWWBKZ8r/VkZhRChRr+FDszyNghK:VYuE3woLdHr7WqnA37WNp
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(k-.l.C.l.C.l.C..|..{.C..|..Z.C..|....C.er..c.C.l.B...C..|..m.C..|..m.C..|..m.C.Richl.C.........................PE..L......_...

      File Icon

      Icon Hash:7cf292aecae8e896

      Static PE Info

      General

      Entrypoint:0x40af68
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
      DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Time Stamp:0x5FB8ACF5 [Sat Nov 21 06:00:21 2020 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:5
      OS Version Minor:1
      File Version Major:5
      File Version Minor:1
      Subsystem Version Major:5
      Subsystem Version Minor:1
      Import Hash:fe91cd96af1348223f21fb3d7bcc19bd

      Entrypoint Preview

      Instruction
      call 00007F9BA0A750F2h
      jmp 00007F9BA0A6DB4Eh
      mov edi, edi
      push ebp
      mov ebp, esp
      mov eax, dword ptr [ebp+08h]
      xor ecx, ecx
      cmp eax, dword ptr [004253E0h+ecx*8]
      je 00007F9BA0A6DCD5h
      inc ecx
      cmp ecx, 2Dh
      jc 00007F9BA0A6DCB3h
      lea ecx, dword ptr [eax-13h]
      cmp ecx, 11h
      jnbe 00007F9BA0A6DCD0h
      push 0000000Dh
      pop eax
      pop ebp
      ret
      mov eax, dword ptr [004253E4h+ecx*8]
      pop ebp
      ret
      add eax, FFFFFF44h
      push 0000000Eh
      pop ecx
      cmp ecx, eax
      sbb eax, eax
      and eax, ecx
      add eax, 08h
      pop ebp
      ret
      call 00007F9BA0A73905h
      test eax, eax
      jne 00007F9BA0A6DCC8h
      mov eax, 00425548h
      ret
      add eax, 08h
      ret
      call 00007F9BA0A738F2h
      test eax, eax
      jne 00007F9BA0A6DCC8h
      mov eax, 0042554Ch
      ret
      add eax, 0Ch
      ret
      mov edi, edi
      push ebp
      mov ebp, esp
      push esi
      call 00007F9BA0A6DCA7h
      mov ecx, dword ptr [ebp+08h]
      push ecx
      mov dword ptr [eax], ecx
      call 00007F9BA0A6DC47h
      pop ecx
      mov esi, eax
      call 00007F9BA0A6DC81h
      mov dword ptr [eax], esi
      pop esi
      pop ebp
      ret
      mov edi, edi
      push ebp
      mov ebp, esp
      sub esp, 4Ch
      mov eax, dword ptr [00425810h]
      xor eax, ebp
      mov dword ptr [ebp-04h], eax
      push ebx
      xor ebx, ebx
      push esi
      mov esi, dword ptr [ebp+08h]
      push edi
      mov dword ptr [ebp-2Ch], ebx
      mov dword ptr [ebp-1Ch], ebx
      mov dword ptr [ebp-20h], ebx
      mov dword ptr [ebp-28h], ebx
      mov dword ptr [ebp-24h], ebx
      mov dword ptr [ebp-4Ch], esi
      mov dword ptr [ebp-48h], ebx
      cmp dword ptr [esi+14h], ebx

      Rich Headers

      Programming Language:
      • [LNK] VS2010 build 30319
      • [ASM] VS2010 build 30319
      • [ C ] VS2010 build 30319
      • [C++] VS2010 build 30319
      • [RES] VS2010 build 30319
      • [IMP] VS2008 SP1 build 30729

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x23cb00xa0.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x2f0000xc560.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x3c0000x1628.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x1f0000x1c8.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x1d3d70x1d400False0.554587339744data6.66584733231IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      .rdata0x1f0000x57340x5800False0.364479758523data4.98964076212IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0x250000x98800x6800False0.806114783654data7.41513673267IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
      .rsrc0x2f0000xc5600xc600False0.377308238636data4.9790039799IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0x3c0000x21ac0x2200False0.522977941176data5.07781530691IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountry
      RT_ICON0x2f2b00x800dataEnglishUnited States
      RT_ICON0x2fab00x400dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2291108095, next used block 136EnglishUnited States
      RT_ICON0x2feb00x200GLS_BINARY_LSB_FIRSTEnglishUnited States
      RT_ICON0x300b00x1000dataEnglishUnited States
      RT_ICON0x310b00xa00dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 16119029, next used block 15988220EnglishUnited States
      RT_ICON0x31ab00x800dataEnglishUnited States
      RT_ICON0x322b00x600GLS_BINARY_LSB_FIRSTEnglishUnited States
      RT_ICON0x328b00x4400dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 252, next used block 4294902016EnglishUnited States
      RT_ICON0x36cb00x2600dataEnglishUnited States
      RT_ICON0x392b00x1200dataEnglishUnited States
      RT_ICON0x3a4b00xa00dataEnglishUnited States
      RT_ICON0x3aeb00x600GLS_BINARY_LSB_FIRSTEnglishUnited States
      RT_GROUP_ICON0x3b4b00xaedataEnglishUnited States

      Imports

      DLLImport
      KERNEL32.dllWaitForSingleObject, GetExitCodeProcess, HeapReAlloc, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, CreateProcessA, CloseHandle, SetFilePointer, ReadFile, FlushFileBuffers, GetConsoleMode, GetConsoleCP, HeapSize, IsValidCodePage, GetOEMCP, GetACP, GetStringTypeW, WriteConsoleW, SetStdHandle, CompareStringW, SetEnvironmentVariableA, GetUserDefaultLCID, VirtualProtect, WideCharToMultiByte, InterlockedIncrement, InterlockedDecrement, InterlockedExchange, MultiByteToWideChar, EncodePointer, DecodePointer, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetLastError, HeapFree, GetProcAddress, GetModuleHandleW, ExitProcess, GetCommandLineW, HeapSetInformation, GetStartupInfoW, GetCPInfo, RaiseException, RtlUnwind, HeapAlloc, LCMapStringW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, IsProcessorFeaturePresent, HeapCreate, GetFileAttributesA, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, LoadLibraryW, GetLocaleInfoW, WriteFile, GetStdHandle, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, CreateFileW
      MSVFW32.dllICGetInfo, ICSeqCompressFrameStart, ICCompressorChoose, ICSeqCompressFrame
      AVIFIL32.dllAVIMakeStreamFromClipboard, AVIClearClipboard, AVIStreamOpenFromFile, AVIStreamRead
      wsnmp32.dll
      SETUPAPI.dllSetupDiCreateDeviceInterfaceRegKeyA, SetupDiInstallClassExA, SetupDiEnumDriverInfoW, SetupDiBuildDriverInfoList, SetupRenameErrorA, SetupDefaultQueueCallback, SetupInstallFilesFromInfSectionA
      SHELL32.dllSHFileOperationA, ShellHookProc, DragQueryFile
      COMDLG32.dllReplaceTextW, ReplaceTextA, PrintDlgW, PrintDlgExW, CommDlgExtendedError, PrintDlgExA

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States

      Network Behavior

      Snort IDS Alerts

      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
      11/21/20-15:29:06.823457TCP2025019ET TROJAN Possible NanoCore C2 60B4970624980192.168.2.3209.159.151.5

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Nov 21, 2020 15:29:06.684222937 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:06.788212061 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:06.788661003 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:06.823457003 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:06.939136028 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:06.951705933 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.056266069 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.074459076 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.230221987 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.230542898 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.250165939 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.250224113 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.250262976 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.250302076 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.250344038 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.250395060 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.250433922 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.250441074 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.250469923 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.250483990 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.250524044 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.250535965 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.250566959 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.250606060 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.250683069 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.354428053 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.354495049 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.354535103 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.354583979 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.354629993 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.354670048 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.354708910 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.354720116 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.354751110 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.354751110 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.354758024 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.354793072 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.354835987 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.354846001 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.354876995 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.354917049 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.354926109 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.354971886 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.355009079 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.355017900 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.355050087 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.355087042 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.355089903 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.355129004 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.355168104 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.355169058 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.355210066 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.355256081 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.355258942 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.355341911 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.459498882 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.459578991 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.459621906 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.459661007 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.459702969 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.459741116 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.459789991 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.459789991 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.459827900 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.459835052 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.459867954 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.459877014 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.459918976 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.459928036 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.459959030 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.459997892 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.460002899 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.460038900 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.460078955 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.460097075 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.460129023 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.460171938 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.460200071 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.460211039 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.460252047 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.460280895 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.460293055 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.460330009 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.460335016 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.460377932 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.460417032 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.460465908 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.460467100 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.460510969 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.460550070 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.460562944 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.460591078 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.460608959 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.460630894 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.460668087 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.460685015 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.460709095 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.460748911 CET2498049706209.159.151.5192.168.2.3
      Nov 21, 2020 15:29:07.460764885 CET4970624980192.168.2.3209.159.151.5
      Nov 21, 2020 15:29:07.460798979 CET2498049706209.159.151.5192.168.2.3

      Code Manipulations

      Statistics

      Behavior

      Click to jump to process

      System Behavior

      Analysis Process: Package_details.exe PID: 1092 Parent PID: 5720

      General

      Start time:15:28:56
      Start date:21/11/2020
      Path:C:\Users\user\Desktop\Package_details.exe
      Wow64 process (32bit):true
      Commandline:'C:\Users\user\Desktop\Package_details.exe'
      Imagebase:0xd90000
      File size:508416 bytes
      MD5 hash:CE3C5367FB067A45F5FA10C35CA23A28
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.216025049.0000000001890000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.216025049.0000000001890000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.216025049.0000000001890000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.216025049.0000000001890000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Reputation:low

      Analysis Process: cmd.exe PID: 4092 Parent PID: 1092

      General

      Start time:15:29:02
      Start date:21/11/2020
      Path:C:\Windows\SysWOW64\cmd.exe
      Wow64 process (32bit):true
      Commandline:cmd /c schtasks /Create /TN fonts /XML 'C:\Users\user\AppData\Local\Temp\3b53dd4f8dbc40fcb4ebf67bcf9e21d3.xml'
      Imagebase:0xbd0000
      File size:232960 bytes
      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: Package_details.exe PID: 4156 Parent PID: 1092

      General

      Start time:15:29:02
      Start date:21/11/2020
      Path:C:\Users\user\Desktop\Package_details.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\Desktop\Package_details.exe
      Imagebase:0xd90000
      File size:508416 bytes
      MD5 hash:CE3C5367FB067A45F5FA10C35CA23A28
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Yara matches:
      • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Reputation:low

      Analysis Process: conhost.exe PID: 2296 Parent PID: 4092

      General

      Start time:15:29:02
      Start date:21/11/2020
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff6b2800000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: schtasks.exe PID: 5464 Parent PID: 4092

      General

      Start time:15:29:02
      Start date:21/11/2020
      Path:C:\Windows\SysWOW64\schtasks.exe
      Wow64 process (32bit):true
      Commandline:schtasks /Create /TN fonts /XML 'C:\Users\user\AppData\Local\Temp\3b53dd4f8dbc40fcb4ebf67bcf9e21d3.xml'
      Imagebase:0xe60000
      File size:185856 bytes
      MD5 hash:15FF7D8324231381BAD48A052F85DF04
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: schtasks.exe PID: 5592 Parent PID: 4156

      General

      Start time:15:29:04
      Start date:21/11/2020
      Path:C:\Windows\SysWOW64\schtasks.exe
      Wow64 process (32bit):true
      Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp30A7.tmp'
      Imagebase:0xe60000
      File size:185856 bytes
      MD5 hash:15FF7D8324231381BAD48A052F85DF04
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: conhost.exe PID: 5548 Parent PID: 5592

      General

      Start time:15:29:05
      Start date:21/11/2020
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff6b2800000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: schtasks.exe PID: 5108 Parent PID: 4156

      General

      Start time:15:29:05
      Start date:21/11/2020
      Path:C:\Windows\SysWOW64\schtasks.exe
      Wow64 process (32bit):true
      Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp33C5.tmp'
      Imagebase:0xe60000
      File size:185856 bytes
      MD5 hash:15FF7D8324231381BAD48A052F85DF04
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: conhost.exe PID: 1560 Parent PID: 5108

      General

      Start time:15:29:05
      Start date:21/11/2020
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff6b2800000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: Package_details.exe PID: 5804 Parent PID: 528

      General

      Start time:15:29:06
      Start date:21/11/2020
      Path:C:\Users\user\Desktop\Package_details.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\Desktop\Package_details.exe 0
      Imagebase:0xd90000
      File size:508416 bytes
      MD5 hash:CE3C5367FB067A45F5FA10C35CA23A28
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.239365689.00000000024E0000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.239365689.00000000024E0000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.239365689.00000000024E0000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.239365689.00000000024E0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Reputation:low

      Analysis Process: dhcpmon.exe PID: 4112 Parent PID: 528

      General

      Start time:15:29:06
      Start date:21/11/2020
      Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Wow64 process (32bit):true
      Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
      Imagebase:0x300000
      File size:508416 bytes
      MD5 hash:CE3C5367FB067A45F5FA10C35CA23A28
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.243043280.0000000002970000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.243043280.0000000002970000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.243043280.0000000002970000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.243043280.0000000002970000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Antivirus matches:
      • Detection: 100%, Joe Sandbox ML
      • Detection: 35%, Virustotal, Browse
      • Detection: 25%, ReversingLabs
      Reputation:low

      Analysis Process: Package_details.exe PID: 4168 Parent PID: 5804

      General

      Start time:15:29:12
      Start date:21/11/2020
      Path:C:\Users\user\Desktop\Package_details.exe
      Wow64 process (32bit):false
      Commandline:C:\Users\user\Desktop\Package_details.exe
      Imagebase:0xd90000
      File size:508416 bytes
      MD5 hash:CE3C5367FB067A45F5FA10C35CA23A28
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low

      Analysis Process: dhcpmon.exe PID: 5712 Parent PID: 4112

      General

      Start time:15:29:12
      Start date:21/11/2020
      Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Wow64 process (32bit):true
      Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Imagebase:0x300000
      File size:508416 bytes
      MD5 hash:CE3C5367FB067A45F5FA10C35CA23A28
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.254234385.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.254234385.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.254234385.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.254234385.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.255480144.00000000057B2000.00000040.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.255480144.00000000057B2000.00000040.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.255480144.00000000057B2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.254375322.00000000013D8000.00000004.00000020.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.254375322.00000000013D8000.00000004.00000020.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.254375322.00000000013D8000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.255256887.000000000365E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.255432280.0000000005760000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.255432280.0000000005760000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.255432280.0000000005760000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.255432280.0000000005760000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.255293475.0000000004651000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.255293475.0000000004651000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.255293475.0000000004651000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Reputation:low

      Analysis Process: dhcpmon.exe PID: 4604 Parent PID: 3388

      General

      Start time:15:29:13
      Start date:21/11/2020
      Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Wow64 process (32bit):true
      Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Imagebase:0x300000
      File size:508416 bytes
      MD5 hash:CE3C5367FB067A45F5FA10C35CA23A28
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.250138622.00000000024A0000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.250138622.00000000024A0000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.250138622.00000000024A0000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.250138622.00000000024A0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Reputation:low

      Analysis Process: Package_details.exe PID: 2140 Parent PID: 5804

      General

      Start time:15:29:14
      Start date:21/11/2020
      Path:C:\Users\user\Desktop\Package_details.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\Desktop\Package_details.exe
      Imagebase:0xd90000
      File size:508416 bytes
      MD5 hash:CE3C5367FB067A45F5FA10C35CA23A28
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.256685765.0000000001110000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.256685765.0000000001110000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.256685765.0000000001110000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.256685765.0000000001110000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Reputation:low

      Analysis Process: dhcpmon.exe PID: 6236 Parent PID: 4604

      General

      Start time:15:29:19
      Start date:21/11/2020
      Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Wow64 process (32bit):false
      Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Imagebase:0x300000
      File size:508416 bytes
      MD5 hash:CE3C5367FB067A45F5FA10C35CA23A28
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low

      Analysis Process: dhcpmon.exe PID: 6296 Parent PID: 4604

      General

      Start time:15:29:20
      Start date:21/11/2020
      Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Wow64 process (32bit):true
      Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Imagebase:0x300000
      File size:508416 bytes
      MD5 hash:CE3C5367FB067A45F5FA10C35CA23A28
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.265645463.0000000000BA0000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.265645463.0000000000BA0000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.265645463.0000000000BA0000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.265645463.0000000000BA0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Reputation:low

      Analysis Process: Package_details.exe PID: 6304 Parent PID: 2140

      General

      Start time:15:29:20
      Start date:21/11/2020
      Path:C:\Users\user\Desktop\Package_details.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\Desktop\Package_details.exe
      Imagebase:0xd90000
      File size:508416 bytes
      MD5 hash:CE3C5367FB067A45F5FA10C35CA23A28
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.273459332.0000000003EC1000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.273459332.0000000003EC1000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.273459332.0000000003EC1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.270080502.0000000002970000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.270080502.0000000002970000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.270080502.0000000002970000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.270080502.0000000002970000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.269469613.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.269469613.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.269469613.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.269469613.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.269644528.0000000000966000.00000004.00000020.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.269644528.0000000000966000.00000004.00000020.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.269644528.0000000000966000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.273427338.0000000002ECE000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.270811037.0000000002AD2000.00000040.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.270811037.0000000002AD2000.00000040.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.270811037.0000000002AD2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Reputation:low

      Analysis Process: dhcpmon.exe PID: 6532 Parent PID: 6296

      General

      Start time:15:29:25
      Start date:21/11/2020
      Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Wow64 process (32bit):true
      Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Imagebase:0x300000
      File size:508416 bytes
      MD5 hash:CE3C5367FB067A45F5FA10C35CA23A28
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.279047270.0000000002F10000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000015.00000002.279047270.0000000002F10000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.279047270.0000000002F10000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000015.00000002.279047270.0000000002F10000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.279458357.00000000042D1000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.279458357.00000000042D1000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000015.00000002.279458357.00000000042D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.278607358.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000015.00000002.278607358.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.278607358.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000015.00000002.278607358.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.278916305.0000000001444000.00000004.00000020.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.278916305.0000000001444000.00000004.00000020.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000015.00000002.278916305.0000000001444000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.279548840.0000000005472000.00000040.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.279548840.0000000005472000.00000040.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000015.00000002.279548840.0000000005472000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: NanoCore, Description: unknown, Source: 00000015.00000002.279433728.00000000032DE000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Reputation:low

      Disassembly

      Code Analysis

      Reset < >