Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.DownLoader36.7233.23906.21829

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.DownLoader36.7233.23906.21829 (renamed file extension from 21829 to exe)
Analysis ID:324206
MD5:ee4555ac614048e36aae067b6a032951
SHA1:c7559fe7c094d4643ea3ab09c071fa0ac8ec18a4
SHA256:3a2278374596d368ec773c10d54ec91f69445144248769abb155de58215d8c2c

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
Connects to many ports of the same IP (likely port scanning)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe (PID: 2440 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe' MD5: EE4555AC614048E36AAE067B6A032951)
    • conhost.exe (PID: 5092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5316 cmdline: cmd /c schtasks /Create /TN images /XML 'C:\Users\user\AppData\Local\Temp\27c398b5630447af830b2dd2bc343446.xml' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • schtasks.exe (PID: 4928 cmdline: schtasks /Create /TN images /XML 'C:\Users\user\AppData\Local\Temp\27c398b5630447af830b2dd2bc343446.xml' MD5: 15FF7D8324231381BAD48A052F85DF04)
    • MSBuild.exe (PID: 2152 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe MD5: 88BBB7610152B48C2B3879473B17857E)
      • schtasks.exe (PID: 5920 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp182E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 2168 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp1B1D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • MSBuild.exe (PID: 5292 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0 MD5: 88BBB7610152B48C2B3879473B17857E)
    • conhost.exe (PID: 1968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5972 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 88BBB7610152B48C2B3879473B17857E)
    • conhost.exe (PID: 2792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5588 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 88BBB7610152B48C2B3879473B17857E)
    • conhost.exe (PID: 5860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x15bdd:$x1: NanoCore.ClientPluginHost
  • 0x15c1a:$x2: IClientNetworkHost
  • 0x1974d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x15945:$a: NanoCore
    • 0x15955:$a: NanoCore
    • 0x15b89:$a: NanoCore
    • 0x15b9d:$a: NanoCore
    • 0x15bdd:$a: NanoCore
    • 0x159a4:$b: ClientPlugin
    • 0x15ba6:$b: ClientPlugin
    • 0x15be6:$b: ClientPlugin
    • 0x15acb:$c: ProjectData
    • 0x164d2:$d: DESCrypto
    • 0x1de9e:$e: KeepAlive
    • 0x1be8c:$g: LogClientMessage
    • 0x18087:$i: get_Connected
    • 0x16808:$j: #=q
    • 0x16838:$j: #=q
    • 0x16854:$j: #=q
    • 0x16884:$j: #=q
    • 0x168a0:$j: #=q
    • 0x168bc:$j: #=q
    • 0x168ec:$j: #=q
    • 0x16908:$j: #=q
    00000003.00000003.228783921.0000000004481000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x1312:$a: NanoCore
    • 0x1337:$a: NanoCore
    • 0x1390:$a: NanoCore
    • 0x1152d:$a: NanoCore
    • 0x11553:$a: NanoCore
    • 0x115af:$a: NanoCore
    • 0x1e404:$a: NanoCore
    • 0x1e45d:$a: NanoCore
    • 0x1e490:$a: NanoCore
    • 0x1e6bc:$a: NanoCore
    • 0x1e738:$a: NanoCore
    • 0x1ed51:$a: NanoCore
    • 0x1ee9a:$a: NanoCore
    • 0x1f36e:$a: NanoCore
    • 0x1f655:$a: NanoCore
    • 0x1f66c:$a: NanoCore
    • 0x229f5:$a: NanoCore
    • 0x23daf:$a: NanoCore
    • 0x23df9:$a: NanoCore
    • 0x24a53:$a: NanoCore
    • 0x2a038:$a: NanoCore
    Process Memory Space: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe PID: 2440Nanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x10df52:$x1: NanoCore.ClientPluginHost
    • 0x10dfb3:$x2: IClientNetworkHost
    • 0x1133b8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x12132a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 3 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.2.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1e5dd:$x1: NanoCore.ClientPluginHost
    • 0x1e61a:$x2: IClientNetworkHost
    • 0x2214d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0.2.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x1e355:$x1: NanoCore Client.exe
    • 0x1e5dd:$x2: NanoCore.ClientPluginHost
    • 0x1fc16:$s1: PluginCommand
    • 0x1fc0a:$s2: FileCommand
    • 0x20abb:$s3: PipeExists
    • 0x26872:$s4: PipeCreated
    • 0x1e607:$s5: IClientLoggingHost
    0.2.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0.2.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x1e345:$a: NanoCore
      • 0x1e355:$a: NanoCore
      • 0x1e589:$a: NanoCore
      • 0x1e59d:$a: NanoCore
      • 0x1e5dd:$a: NanoCore
      • 0x1e3a4:$b: ClientPlugin
      • 0x1e5a6:$b: ClientPlugin
      • 0x1e5e6:$b: ClientPlugin
      • 0x1e4cb:$c: ProjectData
      • 0x1eed2:$d: DESCrypto
      • 0x2689e:$e: KeepAlive
      • 0x2488c:$g: LogClientMessage
      • 0x20a87:$i: get_Connected
      • 0x1f208:$j: #=q
      • 0x1f238:$j: #=q
      • 0x1f254:$j: #=q
      • 0x1f284:$j: #=q
      • 0x1f2a0:$j: #=q
      • 0x1f2bc:$j: #=q
      • 0x1f2ec:$j: #=q
      • 0x1f308:$j: #=q

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ProcessId: 2152, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp182E.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp182E.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ParentProcessId: 2152, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp182E.tmp', ProcessId: 5920

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeAvira: detected
      Antivirus detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\Temp\images.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\Temp\images.exeReversingLabs: Detection: 79%
      Multi AV Scanner detection for submitted fileShow sources
      Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeMetadefender: Detection: 21%Perma Link
      Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeReversingLabs: Detection: 75%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe PID: 2440, type: MEMORY
      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\Temp\images.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeJoe Sandbox ML: detected
      Source: 0.2.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpackAvira: Label: TR/ATRAPS.Gen
      Source: 0.0.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpackAvira: Label: TR/ATRAPS.Gen

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49723 -> 209.159.151.5:24980
      Connects to many ports of the same IP (likely port scanning)Show sources
      Source: global trafficTCP traffic: 209.159.151.5 ports 0,2,4,24980,8,9
      Source: global trafficTCP traffic: 192.168.2.3:49723 -> 209.159.151.5:24980
      Source: Joe Sandbox ViewASN Name: IS-AS-1US IS-AS-1US
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: unknownTCP traffic detected without corresponding DNS query: 209.159.151.5
      Source: MSBuild.exe, 00000003.00000003.228783921.0000000004481000.00000004.00000001.sdmpString found in binary or memory: http://google.com
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
      Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
      Source: unknownNetwork traffic detected: HTTP traffic on port 49679 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49679

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe PID: 2440, type: MEMORY
      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000003.228783921.0000000004481000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe PID: 2440, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe PID: 2440, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: MSBuild.exe PID: 2152, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeCode function: 0_2_00321090 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetConsoleWindow,ShowWindow,LoadLibraryA,RpcMgmtEpEltInqBegin,NtCreateSection,NtMapViewOfSection,CloseHandle,CallWindowProcW,0_2_00321090
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeCode function: 0_2_00324D980_2_00324D98
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 9_2_051907089_2_05190708
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00F2070811_2_00F20708
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00896D0814_2_00896D08
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0089695014_2_00896950
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0089692F14_2_0089692F
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0505070814_2_05050708
      Source: dhcpmon.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: dhcpmon.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: dhcpmon.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe, 00000000.00000003.217098916.0000000002ABF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe
      Source: 00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.220940423.000000000032A000.00000004.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000003.228783921.0000000004481000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe PID: 2440, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe PID: 2440, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: MSBuild.exe PID: 2152, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe.320000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: dhcpmon.exe, 0000000E.00000002.250115588.0000000002E41000.00000004.00000001.sdmpBinary or memory string: kr*)C:\Program Files (x86)\DHCP Monitor\*.sln
      Source: dhcpmon.exe, 0000000B.00000000.225859011.00000000004C2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000002.249042696.0000000000892000.00000002.00020000.sdmp, dhcpmon.exe.3.drBinary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
      Source: dhcpmon.exe, 0000000B.00000000.225859011.00000000004C2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000002.249042696.0000000000892000.00000002.00020000.sdmp, dhcpmon.exe.3.drBinary or memory string: MSBuild MyApp.csproj /t:Clean /p:Configuration=Debug
      Source: dhcpmon.exe, 0000000B.00000000.225859011.00000000004C2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000E.00000002.249042696.0000000000892000.00000002.00020000.sdmp, dhcpmon.exe.3.drBinary or memory string: *.sln+AmbiguousProjectError'MissingProjectError)ProjectNotFoundError)InvalidPropertyError
      Source: dhcpmon.exeBinary or memory string: *.sln
      Source: classification engineClassification label: mal100.troj.evad.winEXE@20/15@0/1
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5948:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2792:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1968:120:WilError_01
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5092:120:WilError_01
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{8127ccf6-0246-44cc-81bf-cfc57c0704b0}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5860:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4120:120:WilError_01
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeFile created: C:\Users\user\AppData\Local\Temp\TempJump to behavior
      Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeMetadefender: Detection: 21%
      Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeReversingLabs: Detection: 75%
      Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeString found in binary or memory: </UserId><LogonType>InteractiveToken</LogonType><RunLevel>LeastPrivilege</RunLevel></Principal></Principals><Settings><MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy><AllowHardTerminate>false</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><IdleSettings><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>PT0S</ExecutionTimeLimit><Priority>7</Priority></Settings><Actions Context="Author"><Exec><Command>
      Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeString found in binary or memory: </UserId><LogonType>InteractiveToken</LogonType><RunLevel>LeastPrivilege</RunLevel></Principal></Principals><Settings><MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy><AllowHardTerminate>false</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><IdleSettings><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>PT0S</ExecutionTimeLimit><Priority>7</Priority></Settings><Actions Context="Author"><Exec><Command>
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /Create /TN images /XML 'C:\Users\user\AppData\Local\Temp\27c398b5630447af830b2dd2bc343446.xml'
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /TN images /XML 'C:\Users\user\AppData\Local\Temp\27c398b5630447af830b2dd2bc343446.xml'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp182E.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp1B1D.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /Create /TN images /XML 'C:\Users\user\AppData\Local\Temp\27c398b5630447af830b2dd2bc343446.xml'Jump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /TN images /XML 'C:\Users\user\AppData\Local\Temp\27c398b5630447af830b2dd2bc343446.xml'Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp182E.tmp'Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp1B1D.tmp'Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
      Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe, 00000000.00000003.216864769.0000000002810000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exe, 00000000.00000003.216864769.0000000002810000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000003.00000003.228783921.0000000004481000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: MSBuild.exe, 00000003.00000003.228783921.0000000004481000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: MSBuild.exe, 00000003.00000003.228783921.0000000004481000.00000004.00000001.sdmp
      Source: Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb source: dhcpmon.exe, dhcpmon.exe.3.dr
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000003.00000003.228783921.0000000004481000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: MSBuild.exe, 00000003.00000003.228783921.0000000004481000.00000004.00000001.sdmp
      Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeCode function: 0_2_00321090 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetConsoleWindow,ShowWindow,LoadLibraryA,RpcMgmtEpEltInqBegin,NtCreateSection,NtMapViewOfSection,CloseHandle,CallWindowProcW,0_2_00321090
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeCode function: 0_2_00322979 push ecx; ret 0_2_0032298C
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeFile created: C:\Users\user\AppData\Local\Temp\Temp\images.exeJump to dropped file
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /TN images /XML 'C:\Users\user\AppData\Local\Temp\27c398b5630447af830b2dd2bc343446.xml'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: threadDelayed 661Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: foregroundWindowGot 639Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: foregroundWindowGot 609Jump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Temp\images.exeJump to dropped file
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 5912Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 5712Thread sleep time: -40000s >= -30000sJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6076Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6044Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5932Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: MSBuild.exe, 00000003.00000003.310491763.0000000000DBE000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeCode function: 0_2_003212F4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_003212F4
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeCode function: 0_2_00321090 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetConsoleWindow,ShowWindow,LoadLibraryA,RpcMgmtEpEltInqBegin,NtCreateSection,NtMapViewOfSection,CloseHandle,CallWindowProcW,0_2_00321090
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeCode function: 0_2_00AB4C15 mov eax, dword ptr fs:[00000030h]0_2_00AB4C15
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeCode function: 0_2_00AB4C78 mov eax, dword ptr fs:[00000030h]0_2_00AB4C78
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeCode function: 0_2_00AB13B8 mov eax, dword ptr fs:[00000030h]0_2_00AB13B8
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeCode function: 0_2_00AB4BD8 mov eax, dword ptr fs:[00000030h]0_2_00AB4BD8
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeCode function: 0_2_003254B3 __NMSG_WRITE,_raise,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_003254B3
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeCode function: 0_2_003212F4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_003212F4
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeCode function: 0_2_00322DC2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00322DC2
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe protection: execute and read and writeJump to behavior
      Writes to foreign memory regionsShow sources
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: AFE008Jump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /TN images /XML 'C:\Users\user\AppData\Local\Temp\27c398b5630447af830b2dd2bc343446.xml'Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp182E.tmp'Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp1B1D.tmp'Jump to behavior
      Source: MSBuild.exe, 00000003.00000003.310491763.0000000000DBE000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: MSBuild.exe, 00000003.00000003.280492949.0000000000DB7000.00000004.00000001.sdmpBinary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exeBuild.exeentImporter, system.workflowservices, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL"/>
      Source: MSBuild.exe, 00000003.00000003.310491763.0000000000DBE000.00000004.00000001.sdmpBinary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader36.7233.23906.exeCode function: GetLocaleInfoA,0_2_0