Analysis Report Scan002.exe.exe

Overview

General Information

Sample Name: Scan002.exe.exe
Analysis ID: 338348
MD5: 8e2315d05c47fefdddf0a686bf9e353e
SHA1: e56fe197d61518b5ea20696677c3fb444e39860e
SHA256: dd647e98e0bd3b1627a0385970c38cd046883967f39dbf9fe416d5300e8e310a
Tags: exeNanoCoreRATYahoo

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Conhost Parent Proces Executions
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: dhcpmon.exe.6764.27.memstr Malware Configuration Extractor: NanoCore {"C2: ": ["172.111.249.15"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
Multi AV Scanner detection for domain / URL
Source: innocentbooii.hopto.org Virustotal: Detection: 8% Perma Link
Yara detected Nanocore RAT
Source: Yara match File source: 0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.596528786.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.303779219.00000000047B7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.313206635.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.302951058.0000000004491000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.314650471.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.278150561.0000000004427000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.254700153.0000000003D97000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.314577877.00000000033B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.610027032.0000000006220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.287850073.0000000002D11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6764, type: MEMORY
Source: Yara match File source: Process Memory Space: Scan002.exe.exe PID: 4340, type: MEMORY
Source: Yara match File source: Process Memory Space: Scan002.exe.exe PID: 4260, type: MEMORY
Source: Yara match File source: 13.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Scan002.exe.exe.6220000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Scan002.exe.exe.6220000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\UbebSiSIKndjd.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Scan002.exe.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 3.2.Scan002.exe.exe.6220000.6.unpack Avira: Label: TR/NanoCore.fadte
Source: 13.2.Scan002.exe.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.2.dhcpmon.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.2.Scan002.exe.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

barindex
Uses 32bit PE files
Source: Scan002.exe.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\Scan002.exe.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Scan002.exe.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: Scan002.exe.exe, 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp, Scan002.exe.exe, 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp, dhcpmon.exe, 0000001B.00000002.314650471.00000000043B1000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: Scan002.exe.exe, 00000000.00000002.264377341.00000000067C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000003.00000002.609595214.0000000005F20000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.282247924.0000000006D60000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.277107575.0000000006B00000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.308220988.0000000007170000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_04BDAF98
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 4x nop then jmp 0667082Dh 0_2_066707C8
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 4x nop then jmp 0667082Dh 0_2_066707B8
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 4x nop then mov esp, ebp 3_2_032D86B1
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 8_2_052AAF98
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 10_2_0504AF88

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 172.111.249.15
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS45671-NET-AUWholesaleServicesProviderAU AS45671-NET-AUWholesaleServicesProviderAU
Source: unknown DNS traffic detected: queries for: innocentbooii.hopto.org
Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000000.00000003.227051250.0000000004EED000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Scan002.exe.exe, 00000000.00000003.232966975.0000000004ECF000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/
Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Scan002.exe.exe, 00000000.00000003.235619449.0000000004EC2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlh
Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designerss
Source: Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comFk/
Source: Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comN/
Source: Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comTTFY/
Source: Scan002.exe.exe, 00000000.00000002.255981298.0000000004EB0000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comalsa
Source: Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comalsd
Source: Scan002.exe.exe, 00000000.00000002.255981298.0000000004EB0000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comcoma
Source: Scan002.exe.exe, 00000000.00000003.226824848.0000000004EED000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: Scan002.exe.exe, 00000000.00000003.226884104.0000000004EED000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com4
Source: Scan002.exe.exe, 00000000.00000003.228394731.0000000004EC1000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Scan002.exe.exe, 00000000.00000003.229248591.0000000004EB4000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Scan002.exe.exe, 00000000.00000003.228156025.0000000004EB3000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn8
Source: Scan002.exe.exe, 00000000.00000003.228230964.0000000004EBE000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnI
Source: Scan002.exe.exe, 00000000.00000003.228156025.0000000004EB3000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cne-di.
Source: Scan002.exe.exe, 00000000.00000003.228156025.0000000004EB3000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnoftA.
Source: Scan002.exe.exe, 00000000.00000003.228156025.0000000004EB3000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnorm
Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Scan002.exe.exe, 00000000.00000003.231098088.0000000004EB5000.00000004.00000001.sdmp, Scan002.exe.exe, 00000000.00000003.231221602.0000000004EB6000.00000004.00000001.sdmp, Scan002.exe.exe, 00000000.00000003.231280337.0000000004EB6000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Scan002.exe.exe, 00000000.00000003.231221602.0000000004EB6000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/40
Source: Scan002.exe.exe, 00000000.00000003.231098088.0000000004EB5000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/G/
Source: Scan002.exe.exe, 00000000.00000003.231280337.0000000004EB6000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/N/
Source: Scan002.exe.exe, 00000000.00000003.231221602.0000000004EB6000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Pogr
Source: Scan002.exe.exe, 00000000.00000003.231280337.0000000004EB6000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0P
Source: Scan002.exe.exe, 00000000.00000003.231447812.0000000004EB6000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0Y/
Source: Scan002.exe.exe, 00000000.00000003.231447812.0000000004EB6000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Scan002.exe.exe, 00000000.00000003.231447812.0000000004EB6000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/k/
Source: Scan002.exe.exe, 00000000.00000003.231098088.0000000004EB5000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/k/
Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Scan002.exe.exe, 00000000.00000003.229248591.0000000004EB4000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.
Source: dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: Scan002.exe.exe, 00000000.00000003.236674676.0000000004ECF000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.de
Source: Scan002.exe.exe, 00000000.00000003.232418765.0000000004ECF000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.de2
Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Scan002.exe.exe, 00000000.00000003.232418765.0000000004ECF000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.dei
Source: Scan002.exe.exe, 00000000.00000003.232418765.0000000004ECF000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deod
Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: Scan002.exe.exe, 00000000.00000002.251177607.0000000000AE9000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)
Source: Scan002.exe.exe, 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.596528786.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.303779219.00000000047B7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.313206635.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.302951058.0000000004491000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.314650471.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.278150561.0000000004427000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.254700153.0000000003D97000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.314577877.00000000033B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.610027032.0000000006220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.287850073.0000000002D11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6764, type: MEMORY
Source: Yara match File source: Process Memory Space: Scan002.exe.exe PID: 4340, type: MEMORY
Source: Yara match File source: Process Memory Space: Scan002.exe.exe PID: 4260, type: MEMORY
Source: Yara match File source: 13.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Scan002.exe.exe.6220000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Scan002.exe.exe.6220000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE

Operating System Destruction:

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: 01 00 00 00 Jump to behavior

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.596528786.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.596528786.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.609798776.0000000005F80000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.303779219.00000000047B7000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.303779219.00000000047B7000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.313206635.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000002.313206635.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.609917775.00000000060D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.302951058.0000000004491000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.302951058.0000000004491000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.314650471.00000000043B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.278150561.0000000004427000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.278150561.0000000004427000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.254700153.0000000003D97000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.254700153.0000000003D97000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.314577877.00000000033B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.610027032.0000000006220000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.287850073.0000000002D11000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6764, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6764, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Scan002.exe.exe PID: 4340, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Scan002.exe.exe PID: 4340, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Scan002.exe.exe PID: 4260, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Scan002.exe.exe PID: 4260, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Scan002.exe.exe.6220000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Scan002.exe.exe.6220000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Scan002.exe.exe.5f80000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Scan002.exe.exe.60d0000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 3_2_03341622 NtSetInformationProcess, 3_2_03341622
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 3_2_033418E6 NtQuerySystemInformation, 3_2_033418E6
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 3_2_033418AB NtQuerySystemInformation, 3_2_033418AB
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 3_2_033415F1 NtSetInformationProcess, 3_2_033415F1
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 8_2_06CF1C9E NtQuerySystemInformation, 8_2_06CF1C9E
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 8_2_06CF1C64 NtQuerySystemInformation, 8_2_06CF1C64
Detected potential crypto function
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 0_2_04BDDA80 0_2_04BDDA80
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 0_2_04BDE2E0 0_2_04BDE2E0
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 0_2_04BDAF98 0_2_04BDAF98
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 0_2_04BDF584 0_2_04BDF584
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 0_2_04BDB778 0_2_04BDB778
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 0_2_04BDB4D0 0_2_04BDB4D0
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 0_2_04BDE2D0 0_2_04BDE2D0
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 0_2_04BDB4C1 0_2_04BDB4C1
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 0_2_04BDAF88 0_2_04BDAF88
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 0_2_04BDB770 0_2_04BDB770
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 0_2_04BDDB40 0_2_04BDDB40
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 0_2_06677F75 0_2_06677F75
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 0_2_06677B25 0_2_06677B25
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 0_2_066707C8 0_2_066707C8
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 0_2_066707B8 0_2_066707B8
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 0_2_04BD3B3F 0_2_04BD3B3F
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 0_2_04BD3B50 0_2_04BD3B50
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 0_2_04BD0950 0_2_04BD0950
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 0_2_04BD0941 0_2_04BD0941
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 3_2_032DB748 3_2_032DB748
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 3_2_032D2FA8 3_2_032D2FA8
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 3_2_032D23A0 3_2_032D23A0
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 3_2_032D9A78 3_2_032D9A78
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 3_2_032D8E78 3_2_032D8E78
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 3_2_032D9B3F 3_2_032D9B3F
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 3_2_032D306F 3_2_032D306F
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 8_2_052AB778 8_2_052AB778
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 8_2_052AF584 8_2_052AF584
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 8_2_052AAF98 8_2_052AAF98
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 8_2_052ADA80 8_2_052ADA80
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 8_2_052AE2E0 8_2_052AE2E0
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 8_2_052AB76A 8_2_052AB76A
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 8_2_052ADB40 8_2_052ADB40
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 8_2_052AE35C 8_2_052AE35C
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 8_2_052AAF88 8_2_052AAF88
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 8_2_052AB4C1 8_2_052AB4C1
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 8_2_052AB4D0 8_2_052AB4D0
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 8_2_052AE2D0 8_2_052AE2D0
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 8_2_068A7B25 8_2_068A7B25
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 8_2_068A8134 8_2_068A8134
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 8_2_068A7F75 8_2_068A7F75
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 8_2_052A3B3F 8_2_052A3B3F
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 8_2_052A0941 8_2_052A0941
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 8_2_052A0950 8_2_052A0950
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 8_2_052A3B50 8_2_052A3B50
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 10_2_0504B778 10_2_0504B778
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 10_2_0504F584 10_2_0504F584
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 10_2_0504AF88 10_2_0504AF88
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 10_2_0504DA80 10_2_0504DA80
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 10_2_0504E2E0 10_2_0504E2E0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 10_2_0504DB40 10_2_0504DB40
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 10_2_0504B4C1 10_2_0504B4C1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 10_2_0504B4D0 10_2_0504B4D0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 10_2_0504E2D0 10_2_0504E2D0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 10_2_06BF7B25 10_2_06BF7B25
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 10_2_06BF7F75 10_2_06BF7F75
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 10_2_05043B3F 10_2_05043B3F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 10_2_05040941 10_2_05040941
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 10_2_05040950 10_2_05040950
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 10_2_05043B50 10_2_05043B50
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 13_2_04F123A0 13_2_04F123A0
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 13_2_04F12FA8 13_2_04F12FA8
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 13_2_04F13850 13_2_04F13850
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 13_2_04F1306F 13_2_04F1306F
Sample file is different than original file name gathered from version info
Source: Scan002.exe.exe Binary or memory string: OriginalFilename vs Scan002.exe.exe
Source: Scan002.exe.exe, 00000000.00000002.264686233.0000000006A60000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs Scan002.exe.exe
Source: Scan002.exe.exe, 00000000.00000002.264377341.00000000067C0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Scan002.exe.exe
Source: Scan002.exe.exe, 00000000.00000002.256132215.00000000050A0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs Scan002.exe.exe
Source: Scan002.exe.exe, 00000000.00000002.267133655.00000000073B0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs Scan002.exe.exe
Source: Scan002.exe.exe, 00000000.00000002.267133655.00000000073B0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Scan002.exe.exe
Source: Scan002.exe.exe, 00000000.00000000.225279011.0000000000322000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameQ& vs Scan002.exe.exe
Source: Scan002.exe.exe Binary or memory string: OriginalFilename vs Scan002.exe.exe
Source: Scan002.exe.exe, 00000003.00000003.252025197.0000000001653000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameQ& vs Scan002.exe.exe
Source: Scan002.exe.exe, 00000003.00000002.609798776.0000000005F80000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Scan002.exe.exe
Source: Scan002.exe.exe, 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs Scan002.exe.exe
Source: Scan002.exe.exe, 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs Scan002.exe.exe
Source: Scan002.exe.exe, 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Scan002.exe.exe
Source: Scan002.exe.exe, 00000003.00000002.610681716.0000000006AE0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Scan002.exe.exe
Source: Scan002.exe.exe, 00000003.00000002.609595214.0000000005F20000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Scan002.exe.exe
Source: Scan002.exe.exe, 00000003.00000002.603697296.00000000015FA000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs Scan002.exe.exe
Source: Scan002.exe.exe, 00000003.00000002.604453423.0000000003330000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs Scan002.exe.exe
Source: Scan002.exe.exe Binary or memory string: OriginalFilename vs Scan002.exe.exe
Source: Scan002.exe.exe, 00000008.00000000.256183402.0000000000A02000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameQ& vs Scan002.exe.exe
Source: Scan002.exe.exe, 00000008.00000002.282371680.0000000006DC0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs Scan002.exe.exe
Source: Scan002.exe.exe, 00000008.00000002.282516385.0000000006E80000.00000002.00000001.sdmp Binary or memory string: originalfilename vs Scan002.exe.exe
Source: Scan002.exe.exe, 00000008.00000002.282516385.0000000006E80000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Scan002.exe.exe
Source: Scan002.exe.exe, 00000008.00000002.282247924.0000000006D60000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Scan002.exe.exe
Source: Scan002.exe.exe, 00000008.00000002.282968651.00000000072E0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs Scan002.exe.exe
Source: Scan002.exe.exe Binary or memory string: OriginalFilename vs Scan002.exe.exe
Source: Scan002.exe.exe, 0000000D.00000002.288483394.0000000005020000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs Scan002.exe.exe
Source: Scan002.exe.exe, 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Scan002.exe.exe
Source: Scan002.exe.exe, 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs Scan002.exe.exe
Source: Scan002.exe.exe, 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs Scan002.exe.exe
Source: Scan002.exe.exe, 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Scan002.exe.exe
Source: Scan002.exe.exe, 0000000D.00000002.286701957.0000000000662000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameQ& vs Scan002.exe.exe
Source: Scan002.exe.exe Binary or memory string: OriginalFilenameQ& vs Scan002.exe.exe
Uses 32bit PE files
Source: Scan002.exe.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.596528786.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.596528786.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.609798776.0000000005F80000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.609798776.0000000005F80000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000F.00000002.303779219.00000000047B7000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.303779219.00000000047B7000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000002.313206635.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001B.00000002.313206635.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.609917775.00000000060D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.609917775.00000000060D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000F.00000002.302951058.0000000004491000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.302951058.0000000004491000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000002.314650471.00000000043B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.278150561.0000000004427000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.278150561.0000000004427000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.254700153.0000000003D97000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.254700153.0000000003D97000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000002.314577877.00000000033B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.610027032.0000000006220000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.610027032.0000000006220000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.287850073.0000000002D11000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6764, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6764, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Scan002.exe.exe PID: 4340, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Scan002.exe.exe PID: 4340, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Scan002.exe.exe PID: 4260, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Scan002.exe.exe PID: 4260, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Scan002.exe.exe.6220000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Scan002.exe.exe.6220000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Scan002.exe.exe.6220000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Scan002.exe.exe.6220000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Scan002.exe.exe.5f80000.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Scan002.exe.exe.5f80000.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Scan002.exe.exe.60d0000.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Scan002.exe.exe.60d0000.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Scan002.exe.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UbebSiSIKndjd.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.3.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 3.2.Scan002.exe.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.Scan002.exe.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.Scan002.exe.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.evad.winEXE@29/12@6/2
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 3_2_033414A6 AdjustTokenPrivileges, 3_2_033414A6
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 3_2_0334146F AdjustTokenPrivileges, 3_2_0334146F
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 8_2_06CF1BCE AdjustTokenPrivileges, 8_2_06CF1BCE
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 8_2_06CF1B97 AdjustTokenPrivileges, 8_2_06CF1B97
Source: C:\Users\user\Desktop\Scan002.exe.exe File created: C:\Program Files (x86)\DHCP Monitor Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe File created: C:\Users\user\AppData\Roaming\UbebSiSIKndjd.exe Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Mutant created: \Sessions\1\BaseNamedObjects\HJFlgkyVhFQuadxHkBKPB
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4812:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5412:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5348:120:WilError_01
Source: C:\Users\user\Desktop\Scan002.exe.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\Scan002.exe.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{f54d19ad-33bd-4372-9241-49940a512cfd}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2160:120:WilError_01
Source: C:\Users\user\Desktop\Scan002.exe.exe File created: C:\Users\user\AppData\Local\Temp\tmp1945.tmp Jump to behavior
Source: Scan002.exe.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Scan002.exe.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Scan002.exe.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe File read: C:\Users\user\Desktop\Scan002.exe.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Scan002.exe.exe 'C:\Users\user\Desktop\Scan002.exe.exe'
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1945.tmp'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\Scan002.exe.exe {path}
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8ED7.tmp'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp91C6.tmp'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\Scan002.exe.exe C:\Users\user\Desktop\Scan002.exe.exe 0
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp414F.tmp'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\Scan002.exe.exe {path}
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp65AF.tmp'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Users\user\Desktop\Scan002.exe.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1945.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process created: C:\Users\user\Desktop\Scan002.exe.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8ED7.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp91C6.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp414F.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process created: C:\Users\user\Desktop\Scan002.exe.exe {path} Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp65AF.tmp'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Users\user\Desktop\Scan002.exe.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: Scan002.exe.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\Scan002.exe.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Scan002.exe.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: Scan002.exe.exe, 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp, Scan002.exe.exe, 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp, dhcpmon.exe, 0000001B.00000002.314650471.00000000043B1000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: Scan002.exe.exe, 00000000.00000002.264377341.00000000067C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000003.00000002.609595214.0000000005F20000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.282247924.0000000006D60000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.277107575.0000000006B00000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.308220988.0000000007170000.00000002.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: Scan002.exe.exe, OSTBseLT?j??r/?N?R?wiDP.cs .Net Code: J?DpCTV?y System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: UbebSiSIKndjd.exe.0.dr, OSTBseLT?j??r/?N?R?wiDP.cs .Net Code: J?DpCTV?y System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Scan002.exe.exe.320000.0.unpack, OSTBseLT?j??r/?N?R?wiDP.cs .Net Code: J?DpCTV?y System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Scan002.exe.exe.320000.0.unpack, OSTBseLT?j??r/?N?R?wiDP.cs .Net Code: J?DpCTV?y System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.3.dr, OSTBseLT?j??r/?N?R?wiDP.cs .Net Code: J?DpCTV?y System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Scan002.exe.exe.d30000.1.unpack, OSTBseLT?j??r/?N?R?wiDP.cs .Net Code: J?DpCTV?y System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.Scan002.exe.exe.d30000.0.unpack, OSTBseLT?j??r/?N?R?wiDP.cs .Net Code: J?DpCTV?y System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Scan002.exe.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Scan002.exe.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.Scan002.exe.exe.a00000.0.unpack, OSTBseLT?j??r/?N?R?wiDP.cs .Net Code: J?DpCTV?y System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 0_2_04BDC928 push eax; iretd 0_2_04BDC929
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 3_2_015374B8 push ebp; ret 3_2_015374B9
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 3_2_015374AC push ecx; ret 3_2_015374AD
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 8_2_052AC928 push eax; iretd 8_2_052AC929
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 10_2_0504C928 push eax; iretd 10_2_0504C929
Source: initial sample Static PE information: section name: .text entropy: 7.70309811015
Source: initial sample Static PE information: section name: .text entropy: 7.70309811015
Source: initial sample Static PE information: section name: .text entropy: 7.70309811015
Source: 3.2.Scan002.exe.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 3.2.Scan002.exe.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Scan002.exe.exe File created: C:\Users\user\AppData\Roaming\UbebSiSIKndjd.exe Jump to dropped file
Source: C:\Users\user\Desktop\Scan002.exe.exe File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1945.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\Scan002.exe.exe File opened: C:\Users\user\Desktop\Scan002.exe.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 0000000A.00000002.270860826.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5396, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Scan002.exe.exe, 00000000.00000002.252199504.0000000002A71000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.275208784.0000000003101000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.270929601.0000000002EDF000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLLX1
Source: Scan002.exe.exe, 00000000.00000002.252540430.0000000002AE5000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.275304601.000000000319F000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.270860826.0000000002E41000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.302154152.00000000034EF000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Scan002.exe.exe, 00000000.00000002.252540430.0000000002AE5000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.275304601.000000000319F000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.270860826.0000000002E41000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.302154152.00000000034EF000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: Scan002.exe.exe, 00000000.00000002.252199504.0000000002A71000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.275208784.0000000003101000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.270929601.0000000002EDF000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAMEX1
Contains capabilities to detect virtual machines
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Scan002.exe.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Scan002.exe.exe Window / User API: threadDelayed 1027 Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Window / User API: foregroundWindowGot 1245 Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Window / User API: foregroundWindowGot 434 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Scan002.exe.exe TID: 2172 Thread sleep time: -31500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe TID: 5916 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe TID: 5952 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe TID: 5416 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe TID: 5416 Thread sleep count: 74 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe TID: 5416 Thread sleep count: 255 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe TID: 4628 Thread sleep count: 1027 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe TID: 3008 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe TID: 4660 Thread sleep time: -31500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe TID: 892 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5056 Thread sleep time: -31500s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4728 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe TID: 5308 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4488 Thread sleep time: -31500s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5896 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6812 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 3_2_033416CA GetSystemInfo, 3_2_033416CA
Source: dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmp Binary or memory string: VMware
Source: dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmp Binary or memory string: vmwareX1
Source: dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmp Binary or memory string: VMWARE|9
Source: dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmp Binary or memory string: q#"SOFTWARE\VMware, Inc.\VMware ToolsX1
Source: Scan002.exe.exe, 00000003.00000002.610681716.0000000006AE0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmp Binary or memory string: q&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1
Source: dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmp Binary or memory string: VMware|9
Source: dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIX1
Source: dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmp Binary or memory string: VMware |9
Source: Scan002.exe.exe, 00000003.00000003.516542699.0000000001674000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: dhcpmon.exe, 0000000F.00000002.302154152.00000000034EF000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Scan002.exe.exe, 00000003.00000002.610681716.0000000006AE0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Scan002.exe.exe, 00000003.00000002.610681716.0000000006AE0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmp Binary or memory string: VMWAREX1
Source: dhcpmon.exe, 0000000F.00000002.302154152.00000000034EF000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: dhcpmon.exe, 0000000F.00000002.302154152.00000000034EF000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmp Binary or memory string: VMware
Source: Scan002.exe.exe, 00000000.00000002.252199504.0000000002A71000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.275208784.0000000003101000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.270929601.0000000002EDF000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmp Binary or memory string: QEMUX1
Source: Scan002.exe.exe, 00000003.00000003.516542699.0000000001674000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllceProviderElement, System.WorkflowServices, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
Source: dhcpmon.exe, 0000000F.00000002.302154152.00000000034EF000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: Scan002.exe.exe, 00000003.00000002.610681716.0000000006AE0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\Scan002.exe.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\Scan002.exe.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\Scan002.exe.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Scan002.exe.exe Memory written: C:\Users\user\Desktop\Scan002.exe.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Memory written: C:\Users\user\Desktop\Scan002.exe.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Scan002.exe.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1945.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process created: C:\Users\user\Desktop\Scan002.exe.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8ED7.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp91C6.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp414F.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Process created: C:\Users\user\Desktop\Scan002.exe.exe {path} Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp65AF.tmp'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: Scan002.exe.exe, 00000003.00000002.604032239.0000000001D80000.00000002.00000001.sdmp Binary or memory string: uProgram Manager
Source: Scan002.exe.exe, 00000003.00000002.607858525.000000000396A000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: Scan002.exe.exe, 00000003.00000002.604032239.0000000001D80000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Scan002.exe.exe, 00000003.00000002.604032239.0000000001D80000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Scan002.exe.exe, 00000003.00000002.603815130.0000000001674000.00000004.00000020.sdmp Binary or memory string: Program Managerp#|
Source: Scan002.exe.exe, 00000003.00000002.604032239.0000000001D80000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: Scan002.exe.exe, 00000003.00000002.603815130.0000000001674000.00000004.00000020.sdmp Binary or memory string: Program Managerkt\,S

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 3_2_0151AF9A GetUserNameW, 3_2_0151AF9A
Source: C:\Users\user\Desktop\Scan002.exe.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.596528786.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.303779219.00000000047B7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.313206635.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.302951058.0000000004491000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.314650471.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.278150561.0000000004427000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.254700153.0000000003D97000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.314577877.00000000033B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.610027032.0000000006220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.287850073.0000000002D11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6764, type: MEMORY
Source: Yara match File source: Process Memory Space: Scan002.exe.exe PID: 4340, type: MEMORY
Source: Yara match File source: Process Memory Space: Scan002.exe.exe PID: 4260, type: MEMORY
Source: Yara match File source: 13.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Scan002.exe.exe.6220000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Scan002.exe.exe.6220000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: Scan002.exe.exe, 00000003.00000002.596528786.0000000000402000.00000040.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: Scan002.exe.exe, 00000003.00000002.609798776.0000000005F80000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Scan002.exe.exe, 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: Scan002.exe.exe, 0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: Scan002.exe.exe, 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Scan002.exe.exe, 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: dhcpmon.exe, 0000001B.00000002.313206635.0000000000402000.00000040.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000001B.00000002.314650471.00000000043B1000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 0000001B.00000002.314650471.00000000043B1000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Yara detected Nanocore RAT
Source: Yara match File source: 0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.596528786.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.303779219.00000000047B7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.313206635.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.302951058.0000000004491000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.314650471.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.278150561.0000000004427000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.254700153.0000000003D97000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.314577877.00000000033B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.610027032.0000000006220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.287850073.0000000002D11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6764, type: MEMORY
Source: Yara match File source: Process Memory Space: Scan002.exe.exe PID: 4340, type: MEMORY
Source: Yara match File source: Process Memory Space: Scan002.exe.exe PID: 4260, type: MEMORY
Source: Yara match File source: 13.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Scan002.exe.exe.6220000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Scan002.exe.exe.6220000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 3_2_03342B26 bind, 3_2_03342B26
Source: C:\Users\user\Desktop\Scan002.exe.exe Code function: 3_2_03342AF6 bind, 3_2_03342AF6
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 338348 Sample: Scan002.exe.exe Startdate: 12/01/2021 Architecture: WINDOWS Score: 100 68 Multi AV Scanner detection for domain / URL 2->68 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 11 other signatures 2->74 9 Scan002.exe.exe 6 2->9         started        13 Scan002.exe.exe 4 2->13         started        15 dhcpmon.exe 2->15         started        17 dhcpmon.exe 3 2->17         started        process3 file4 58 C:\Users\user\AppData\...\UbebSiSIKndjd.exe, PE32 9->58 dropped 60 C:\Users\user\AppData\Local\...\tmp1945.tmp, XML 9->60 dropped 62 C:\Users\user\AppData\...\Scan002.exe.exe.log, ASCII 9->62 dropped 80 Injects a PE file into a foreign processes 9->80 19 Scan002.exe.exe 1 14 9->19         started        24 schtasks.exe 1 9->24         started        26 schtasks.exe 1 13->26         started        28 Scan002.exe.exe 2 13->28         started        signatures5 process6 dnsIp7 64 innocentbooii.hopto.org 172.111.249.15, 55420 AS45671-NET-AUWholesaleServicesProviderAU United States 19->64 66 192.168.2.1 unknown unknown 19->66 52 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->52 dropped 54 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 19->54 dropped 56 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->56 dropped 76 Protects its processes via BreakOnTermination flag 19->76 78 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->78 30 schtasks.exe 1 19->30         started        32 schtasks.exe 1 19->32         started        34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        file8 signatures9 process10 process11 38 conhost.exe 30->38         started        40 conhost.exe 32->40         started        42 schtasks.exe 36->42         started        44 dhcpmon.exe 36->44         started        46 dhcpmon.exe 36->46         started        48 dhcpmon.exe 36->48         started        process12 50 conhost.exe 42->50         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.111.249.15
 unknown United States
45671 AS45671-NET-AUWholesaleServicesProviderAU true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
innocentbooii.hopto.org 172.111.249.15 true