Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Scan002.exe.exe

Overview

General Information

Sample Name:Scan002.exe.exe
Analysis ID:338348
MD5:8e2315d05c47fefdddf0a686bf9e353e
SHA1:e56fe197d61518b5ea20696677c3fb444e39860e
SHA256:dd647e98e0bd3b1627a0385970c38cd046883967f39dbf9fe416d5300e8e310a
Tags:exeNanoCoreRATYahoo

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Conhost Parent Proces Executions
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Scan002.exe.exe (PID: 2960 cmdline: 'C:\Users\user\Desktop\Scan002.exe.exe' MD5: 8E2315D05C47FEFDDDF0A686BF9E353E)
    • schtasks.exe (PID: 4564 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1945.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Scan002.exe.exe (PID: 4340 cmdline: {path} MD5: 8E2315D05C47FEFDDDF0A686BF9E353E)
      • schtasks.exe (PID: 4260 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8ED7.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 976 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp91C6.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Scan002.exe.exe (PID: 204 cmdline: C:\Users\user\Desktop\Scan002.exe.exe 0 MD5: 8E2315D05C47FEFDDDF0A686BF9E353E)
    • schtasks.exe (PID: 5876 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp414F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 6608 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp65AF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • dhcpmon.exe (PID: 6712 cmdline: {path} MD5: 8E2315D05C47FEFDDDF0A686BF9E353E)
        • dhcpmon.exe (PID: 6744 cmdline: {path} MD5: 8E2315D05C47FEFDDDF0A686BF9E353E)
        • dhcpmon.exe (PID: 6764 cmdline: {path} MD5: 8E2315D05C47FEFDDDF0A686BF9E353E)
    • Scan002.exe.exe (PID: 4260 cmdline: {path} MD5: 8E2315D05C47FEFDDDF0A686BF9E353E)
  • dhcpmon.exe (PID: 5396 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 8E2315D05C47FEFDDDF0A686BF9E353E)
  • dhcpmon.exe (PID: 2160 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 8E2315D05C47FEFDDDF0A686BF9E353E)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["172.111.249.15"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1d8595:$x1: NanoCore.ClientPluginHost
  • 0x1d85d2:$x2: IClientNetworkHost
  • 0x1dc105:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x1d82fd:$a: NanoCore
    • 0x1d830d:$a: NanoCore
    • 0x1d8541:$a: NanoCore
    • 0x1d8555:$a: NanoCore
    • 0x1d8595:$a: NanoCore
    • 0x1d835c:$b: ClientPlugin
    • 0x1d855e:$b: ClientPlugin
    • 0x1d859e:$b: ClientPlugin
    • 0x127a96:$c: ProjectData
    • 0x1d8483:$c: ProjectData
    • 0x128537:$d: DESCrypto
    • 0x1d8e8a:$d: DESCrypto
    • 0x1e0856:$e: KeepAlive
    • 0x1de844:$g: LogClientMessage
    • 0x1daa3f:$i: get_Connected
    • 0x1d91c0:$j: #=q
    • 0x1d91f0:$j: #=q
    • 0x1d920c:$j: #=q
    • 0x1d923c:$j: #=q
    • 0x1d9258:$j: #=q
    • 0x1d9274:$j: #=q
    0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 47 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      13.2.Scan002.exe.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      13.2.Scan002.exe.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      13.2.Scan002.exe.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        13.2.Scan002.exe.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        3.2.Scan002.exe.exe.6220000.6.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xf7ad:$x1: NanoCore.ClientPluginHost
        • 0xf7da:$x2: IClientNetworkHost
        Click to see the 17 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Scan002.exe.exe, ProcessId: 4340, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1945.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1945.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Scan002.exe.exe' , ParentImage: C:\Users\user\Desktop\Scan002.exe.exe, ParentProcessId: 2960, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1945.tmp', ProcessId: 4564
        Sigma detected: Conhost Parent Proces ExecutionsShow sources
        Source: Process startedAuthor: omkar72: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp65AF.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp65AF.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 2160, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp65AF.tmp', ProcessId: 6608

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: dhcpmon.exe.6764.27.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["172.111.249.15"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Multi AV Scanner detection for domain / URLShow sources
        Source: innocentbooii.hopto.orgVirustotal: Detection: 8%Perma Link
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.596528786.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.303779219.00000000047B7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.313206635.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.302951058.0000000004491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.314650471.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.278150561.0000000004427000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.254700153.0000000003D97000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.314577877.00000000033B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.610027032.0000000006220000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.287850073.0000000002D11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6764, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Scan002.exe.exe PID: 4340, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Scan002.exe.exe PID: 4260, type: MEMORY
        Source: Yara matchFile source: 13.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.Scan002.exe.exe.6220000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.Scan002.exe.exe.6220000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\UbebSiSIKndjd.exeJoe Sandbox ML: detected
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: Scan002.exe.exeJoe Sandbox ML: detected
        Source: 3.2.Scan002.exe.exe.6220000.6.unpackAvira: Label: TR/NanoCore.fadte
        Source: 13.2.Scan002.exe.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 27.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.2.Scan002.exe.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: Scan002.exe.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: C:\Users\user\Desktop\Scan002.exe.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: Scan002.exe.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: Scan002.exe.exe, 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp, Scan002.exe.exe, 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp, dhcpmon.exe, 0000001B.00000002.314650471.00000000043B1000.00000004.00000001.sdmp
        Source: Binary string: mscorrc.pdb source: Scan002.exe.exe, 00000000.00000002.264377341.00000000067C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000003.00000002.609595214.0000000005F20000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.282247924.0000000006D60000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.277107575.0000000006B00000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.308220988.0000000007170000.00000002.00000001.sdmp
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 4x nop then jmp 0667082Dh
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 4x nop then jmp 0667082Dh
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 4x nop then mov esp, ebp
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorIPs: 172.111.249.15
        Source: Joe Sandbox ViewASN Name: AS45671-NET-AUWholesaleServicesProviderAU AS45671-NET-AUWholesaleServicesProviderAU
        Source: unknownDNS traffic detected: queries for: innocentbooii.hopto.org
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000000.00000003.227051250.0000000004EED000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: Scan002.exe.exe, 00000000.00000003.232966975.0000000004ECF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: Scan002.exe.exe, 00000000.00000003.235619449.0000000004EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlh
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
        Source: Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
        Source: Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFk/
        Source: Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comN/
        Source: Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comTTFY/
        Source: Scan002.exe.exe, 00000000.00000002.255981298.0000000004EB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
        Source: Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsa
        Source: Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsd
        Source: Scan002.exe.exe, 00000000.00000002.255981298.0000000004EB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcoma
        Source: Scan002.exe.exe, 00000000.00000003.226824848.0000000004EED000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: Scan002.exe.exe, 00000000.00000003.226884104.0000000004EED000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com4
        Source: Scan002.exe.exe, 00000000.00000003.228394731.0000000004EC1000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: Scan002.exe.exe, 00000000.00000003.229248591.0000000004EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: Scan002.exe.exe, 00000000.00000003.228156025.0000000004EB3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn8
        Source: Scan002.exe.exe, 00000000.00000003.228230964.0000000004EBE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnI
        Source: Scan002.exe.exe, 00000000.00000003.228156025.0000000004EB3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cne-di.
        Source: Scan002.exe.exe, 00000000.00000003.228156025.0000000004EB3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnoftA.
        Source: Scan002.exe.exe, 00000000.00000003.228156025.0000000004EB3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnorm
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: Scan002.exe.exe, 00000000.00000003.231098088.0000000004EB5000.00000004.00000001.sdmp, Scan002.exe.exe, 00000000.00000003.231221602.0000000004EB6000.00000004.00000001.sdmp, Scan002.exe.exe, 00000000.00000003.231280337.0000000004EB6000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: Scan002.exe.exe, 00000000.00000003.231221602.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/40
        Source: Scan002.exe.exe, 00000000.00000003.231098088.0000000004EB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/G/
        Source: Scan002.exe.exe, 00000000.00000003.231280337.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/N/
        Source: Scan002.exe.exe, 00000000.00000003.231221602.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Pogr
        Source: Scan002.exe.exe, 00000000.00000003.231280337.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0P
        Source: Scan002.exe.exe, 00000000.00000003.231447812.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0Y/
        Source: Scan002.exe.exe, 00000000.00000003.231447812.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
        Source: Scan002.exe.exe, 00000000.00000003.231447812.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/k/
        Source: Scan002.exe.exe, 00000000.00000003.231098088.0000000004EB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k/
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: Scan002.exe.exe, 00000000.00000003.229248591.0000000004EB4000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.
        Source: dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: Scan002.exe.exe, 00000000.00000003.236674676.0000000004ECF000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
        Source: Scan002.exe.exe, 00000000.00000003.232418765.0000000004ECF000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de2
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: Scan002.exe.exe, 00000000.00000003.232418765.0000000004ECF000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dei
        Source: Scan002.exe.exe, 00000000.00000003.232418765.0000000004ECF000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deod
        Source: Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: Scan002.exe.exe, 00000000.00000002.251177607.0000000000AE9000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: Scan002.exe.exe, 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.596528786.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.303779219.00000000047B7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.313206635.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.302951058.0000000004491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.314650471.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.278150561.0000000004427000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.254700153.0000000003D97000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.314577877.00000000033B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.610027032.0000000006220000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.287850073.0000000002D11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6764, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Scan002.exe.exe PID: 4340, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Scan002.exe.exe PID: 4260, type: MEMORY
        Source: Yara matchFile source: 13.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.Scan002.exe.exe.6220000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.Scan002.exe.exe.6220000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE

        Operating System Destruction:

        barindex
        Protects its processes via BreakOnTermination flagShow sources
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: 01 00 00 00

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.596528786.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.596528786.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.609798776.0000000005F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.303779219.00000000047B7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.303779219.00000000047B7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000002.313206635.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001B.00000002.313206635.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.609917775.00000000060D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.302951058.0000000004491000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.302951058.0000000004491000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000002.314650471.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000002.278150561.0000000004427000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.278150561.0000000004427000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.254700153.0000000003D97000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.254700153.0000000003D97000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000002.314577877.00000000033B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.610027032.0000000006220000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000D.00000002.287850073.0000000002D11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6764, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6764, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Scan002.exe.exe PID: 4340, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Scan002.exe.exe PID: 4340, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Scan002.exe.exe PID: 4260, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Scan002.exe.exe PID: 4260, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.Scan002.exe.exe.6220000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.Scan002.exe.exe.6220000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.Scan002.exe.exe.5f80000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.Scan002.exe.exe.60d0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_03341622 NtSetInformationProcess,
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_033418E6 NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_033418AB NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_033415F1 NtSetInformationProcess,
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_06CF1C9E NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_06CF1C64 NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BDDA80
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BDE2E0
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BDAF98
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BDF584
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BDB778
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BDB4D0
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BDE2D0
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BDB4C1
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BDAF88
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BDB770
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BDDB40
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_06677F75
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_06677B25
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_066707C8
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_066707B8
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BD3B3F
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BD3B50
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BD0950
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BD0941
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_032DB748
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_032D2FA8
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_032D23A0
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_032D9A78
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_032D8E78
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_032D9B3F
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_032D306F
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052AB778
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052AF584
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052AAF98
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052ADA80
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052AE2E0
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052AB76A
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052ADB40
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052AE35C
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052AAF88
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052AB4C1
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052AB4D0
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052AE2D0
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_068A7B25
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_068A8134
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_068A7F75
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052A3B3F
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052A0941
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052A0950
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052A3B50
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0504B778
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0504F584
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0504AF88
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0504DA80
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0504E2E0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0504DB40
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0504B4C1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0504B4D0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0504E2D0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_06BF7B25
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_06BF7F75
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_05043B3F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_05040941
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_05040950
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_05043B50
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 13_2_04F123A0
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 13_2_04F12FA8
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 13_2_04F13850
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 13_2_04F1306F
        Source: Scan002.exe.exeBinary or memory string: OriginalFilename vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000000.00000002.264686233.0000000006A60000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000000.00000002.264377341.00000000067C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000000.00000002.256132215.00000000050A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000000.00000002.267133655.00000000073B0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000000.00000002.267133655.00000000073B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000000.00000000.225279011.0000000000322000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameQ& vs Scan002.exe.exe
        Source: Scan002.exe.exeBinary or memory string: OriginalFilename vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000003.00000003.252025197.0000000001653000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameQ& vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000003.00000002.609798776.0000000005F80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoProtectClient.dllT vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000003.00000002.610681716.0000000006AE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000003.00000002.609595214.0000000005F20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000003.00000002.603697296.00000000015FA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000003.00000002.604453423.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Scan002.exe.exe
        Source: Scan002.exe.exeBinary or memory string: OriginalFilename vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000008.00000000.256183402.0000000000A02000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameQ& vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000008.00000002.282371680.0000000006DC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000008.00000002.282516385.0000000006E80000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000008.00000002.282516385.0000000006E80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000008.00000002.282247924.0000000006D60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Scan002.exe.exe
        Source: Scan002.exe.exe, 00000008.00000002.282968651.00000000072E0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Scan002.exe.exe
        Source: Scan002.exe.exeBinary or memory string: OriginalFilename vs Scan002.exe.exe
        Source: Scan002.exe.exe, 0000000D.00000002.288483394.0000000005020000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Scan002.exe.exe
        Source: Scan002.exe.exe, 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Scan002.exe.exe
        Source: Scan002.exe.exe, 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoProtectClient.dllT vs Scan002.exe.exe
        Source: Scan002.exe.exe, 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Scan002.exe.exe
        Source: Scan002.exe.exe, 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Scan002.exe.exe
        Source: Scan002.exe.exe, 0000000D.00000002.286701957.0000000000662000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameQ& vs Scan002.exe.exe
        Source: Scan002.exe.exeBinary or memory string: OriginalFilenameQ& vs Scan002.exe.exe
        Source: Scan002.exe.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.596528786.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.596528786.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.609798776.0000000005F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.609798776.0000000005F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000F.00000002.303779219.00000000047B7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.303779219.00000000047B7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001B.00000002.313206635.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001B.00000002.313206635.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.609917775.00000000060D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.609917775.00000000060D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000F.00000002.302951058.0000000004491000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.302951058.0000000004491000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001B.00000002.314650471.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000002.278150561.0000000004427000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.278150561.0000000004427000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.254700153.0000000003D97000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.254700153.0000000003D97000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001B.00000002.314577877.00000000033B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.610027032.0000000006220000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.610027032.0000000006220000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000D.00000002.287850073.0000000002D11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6764, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6764, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Scan002.exe.exe PID: 4340, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Scan002.exe.exe PID: 4340, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Scan002.exe.exe PID: 4260, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Scan002.exe.exe PID: 4260, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.Scan002.exe.exe.6220000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.Scan002.exe.exe.6220000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.Scan002.exe.exe.6220000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.Scan002.exe.exe.6220000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.Scan002.exe.exe.5f80000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.Scan002.exe.exe.5f80000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.Scan002.exe.exe.60d0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.Scan002.exe.exe.60d0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: Scan002.exe.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: UbebSiSIKndjd.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: dhcpmon.exe.3.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 3.2.Scan002.exe.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 3.2.Scan002.exe.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 3.2.Scan002.exe.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@29/12@6/2
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_033414A6 AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_0334146F AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_06CF1BCE AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_06CF1B97 AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\Scan002.exe.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\Scan002.exe.exeFile created: C:\Users\user\AppData\Roaming\UbebSiSIKndjd.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMutant created: \Sessions\1\BaseNamedObjects\HJFlgkyVhFQuadxHkBKPB
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4812:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5412:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5348:120:WilError_01
        Source: C:\Users\user\Desktop\Scan002.exe.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Users\user\Desktop\Scan002.exe.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{f54d19ad-33bd-4372-9241-49940a512cfd}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2160:120:WilError_01
        Source: C:\Users\user\Desktop\Scan002.exe.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1945.tmpJump to behavior
        Source: Scan002.exe.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Scan002.exe.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\Scan002.exe.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\Scan002.exe.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\Scan002.exe.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\Scan002.exe.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\Scan002.exe.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\Scan002.exe.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\Scan002.exe.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\Scan002.exe.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\Scan002.exe.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\Scan002.exe.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\Scan002.exe.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Users\user\Desktop\Scan002.exe.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\Scan002.exe.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\Scan002.exe.exeFile read: C:\Users\user\Desktop\Scan002.exe.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Scan002.exe.exe 'C:\Users\user\Desktop\Scan002.exe.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1945.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\Scan002.exe.exe {path}
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8ED7.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp91C6.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\Scan002.exe.exe C:\Users\user\Desktop\Scan002.exe.exe 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp414F.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\Scan002.exe.exe {path}
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp65AF.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1945.tmp'
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess created: C:\Users\user\Desktop\Scan002.exe.exe {path}
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8ED7.tmp'
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp91C6.tmp'
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp414F.tmp'
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess created: C:\Users\user\Desktop\Scan002.exe.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp65AF.tmp'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Users\user\Desktop\Scan002.exe.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
        Source: C:\Users\user\Desktop\Scan002.exe.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
        Source: Scan002.exe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: C:\Users\user\Desktop\Scan002.exe.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: Scan002.exe.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: Scan002.exe.exe, 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp, Scan002.exe.exe, 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp, dhcpmon.exe, 0000001B.00000002.314650471.00000000043B1000.00000004.00000001.sdmp
        Source: Binary string: mscorrc.pdb source: Scan002.exe.exe, 00000000.00000002.264377341.00000000067C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000003.00000002.609595214.0000000005F20000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.282247924.0000000006D60000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.277107575.0000000006B00000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.308220988.0000000007170000.00000002.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: Scan002.exe.exe, OSTBseLT?j??r/?N?R?wiDP.cs.Net Code: J?DpCTV?y System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: UbebSiSIKndjd.exe.0.dr, OSTBseLT?j??r/?N?R?wiDP.cs.Net Code: J?DpCTV?y System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.2.Scan002.exe.exe.320000.0.unpack, OSTBseLT?j??r/?N?R?wiDP.cs.Net Code: J?DpCTV?y System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.0.Scan002.exe.exe.320000.0.unpack, OSTBseLT?j??r/?N?R?wiDP.cs.Net Code: J?DpCTV?y System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: dhcpmon.exe.3.dr, OSTBseLT?j??r/?N?R?wiDP.cs.Net Code: J?DpCTV?y System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.2.Scan002.exe.exe.d30000.1.unpack, OSTBseLT?j??r/?N?R?wiDP.cs.Net Code: J?DpCTV?y System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.Scan002.exe.exe.d30000.0.unpack, OSTBseLT?j??r/?N?R?wiDP.cs.Net Code: J?DpCTV?y System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.2.Scan002.exe.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.2.Scan002.exe.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 8.0.Scan002.exe.exe.a00000.0.unpack, OSTBseLT?j??r/?N?R?wiDP.cs.Net Code: J?DpCTV?y System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 0_2_04BDC928 push eax; iretd
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_015374B8 push ebp; ret
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_015374AC push ecx; ret
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 8_2_052AC928 push eax; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0504C928 push eax; iretd
        Source: initial sampleStatic PE information: section name: .text entropy: 7.70309811015
        Source: initial sampleStatic PE information: section name: .text entropy: 7.70309811015
        Source: initial sampleStatic PE information: section name: .text entropy: 7.70309811015
        Source: 3.2.Scan002.exe.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.2.Scan002.exe.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\Scan002.exe.exeFile created: C:\Users\user\AppData\Roaming\UbebSiSIKndjd.exeJump to dropped file
        Source: C:\Users\user\Desktop\Scan002.exe.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1945.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\Scan002.exe.exeFile opened: C:\Users\user\Desktop\Scan002.exe.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM_3Show sources
        Source: Yara matchFile source: 0000000A.00000002.270860826.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5396, type: MEMORY
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: Scan002.exe.exe, 00000000.00000002.252199504.0000000002A71000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.275208784.0000000003101000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.270929601.0000000002EDF000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLX1
        Source: Scan002.exe.exe, 00000000.00000002.252540430.0000000002AE5000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.275304601.000000000319F000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.270860826.0000000002E41000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.302154152.00000000034EF000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: Scan002.exe.exe, 00000000.00000002.252540430.0000000002AE5000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.275304601.000000000319F000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.270860826.0000000002E41000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.302154152.00000000034EF000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: Scan002.exe.exe, 00000000.00000002.252199504.0000000002A71000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.275208784.0000000003101000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.270929601.0000000002EDF000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEX1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Users\user\Desktop\Scan002.exe.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\Scan002.exe.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\Scan002.exe.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\Scan002.exe.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\Scan002.exe.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\Scan002.exe.exeWindow / User API: threadDelayed 1027
        Source: C:\Users\user\Desktop\Scan002.exe.exeWindow / User API: foregroundWindowGot 1245
        Source: C:\Users\user\Desktop\Scan002.exe.exeWindow / User API: foregroundWindowGot 434
        Source: C:\Users\user\Desktop\Scan002.exe.exe TID: 2172Thread sleep time: -31500s >= -30000s
        Source: C:\Users\user\Desktop\Scan002.exe.exe TID: 5916Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\Scan002.exe.exe TID: 5952Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\Scan002.exe.exe TID: 5416Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\Scan002.exe.exe TID: 5416Thread sleep count: 74 > 30
        Source: C:\Users\user\Desktop\Scan002.exe.exe TID: 5416Thread sleep count: 255 > 30
        Source: C:\Users\user\Desktop\Scan002.exe.exe TID: 4628Thread sleep count: 1027 > 30
        Source: C:\Users\user\Desktop\Scan002.exe.exe TID: 3008Thread sleep time: -180000s >= -30000s
        Source: C:\Users\user\Desktop\Scan002.exe.exe TID: 4660Thread sleep time: -31500s >= -30000s
        Source: C:\Users\user\Desktop\Scan002.exe.exe TID: 892Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5056Thread sleep time: -31500s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4728Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\Scan002.exe.exe TID: 5308Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4488Thread sleep time: -31500s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5896Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6812Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_033416CA GetSystemInfo,
        Source: dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmpBinary or memory string: VMware
        Source: dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmpBinary or memory string: vmwareX1
        Source: dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmpBinary or memory string: VMWARE|9
        Source: dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmpBinary or memory string: q#"SOFTWARE\VMware, Inc.\VMware ToolsX1
        Source: Scan002.exe.exe, 00000003.00000002.610681716.0000000006AE0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmpBinary or memory string: q&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1
        Source: dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmpBinary or memory string: VMware|9
        Source: dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIX1
        Source: dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmpBinary or memory string: VMware |9
        Source: Scan002.exe.exe, 00000003.00000003.516542699.0000000001674000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
        Source: dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: dhcpmon.exe, 0000000F.00000002.302154152.00000000034EF000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: Scan002.exe.exe, 00000003.00000002.610681716.0000000006AE0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: Scan002.exe.exe, 00000003.00000002.610681716.0000000006AE0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmpBinary or memory string: VMWAREX1
        Source: dhcpmon.exe, 0000000F.00000002.302154152.00000000034EF000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: dhcpmon.exe, 0000000F.00000002.302154152.00000000034EF000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmpBinary or memory string: VMware
        Source: Scan002.exe.exe, 00000000.00000002.252199504.0000000002A71000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.275208784.0000000003101000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.270929601.0000000002EDF000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.302189845.000000000352F000.00000004.00000001.sdmpBinary or memory string: QEMUX1
        Source: Scan002.exe.exe, 00000003.00000003.516542699.0000000001674000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllceProviderElement, System.WorkflowServices, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
        Source: dhcpmon.exe, 0000000F.00000002.302154152.00000000034EF000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: Scan002.exe.exe, 00000003.00000002.610681716.0000000006AE0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess token adjusted: Debug
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\Scan002.exe.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\Scan002.exe.exeMemory written: C:\Users\user\Desktop\Scan002.exe.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\Scan002.exe.exeMemory written: C:\Users\user\Desktop\Scan002.exe.exe base: 400000 value starts with: 4D5A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1945.tmp'
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess created: C:\Users\user\Desktop\Scan002.exe.exe {path}
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8ED7.tmp'
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp91C6.tmp'
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp414F.tmp'
        Source: C:\Users\user\Desktop\Scan002.exe.exeProcess created: C:\Users\user\Desktop\Scan002.exe.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp65AF.tmp'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: Scan002.exe.exe, 00000003.00000002.604032239.0000000001D80000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
        Source: Scan002.exe.exe, 00000003.00000002.607858525.000000000396A000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: Scan002.exe.exe, 00000003.00000002.604032239.0000000001D80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: Scan002.exe.exe, 00000003.00000002.604032239.0000000001D80000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: Scan002.exe.exe, 00000003.00000002.603815130.0000000001674000.00000004.00000020.sdmpBinary or memory string: Program Managerp#|
        Source: Scan002.exe.exe, 00000003.00000002.604032239.0000000001D80000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: Scan002.exe.exe, 00000003.00000002.603815130.0000000001674000.00000004.00000020.sdmpBinary or memory string: Program Managerkt\,S
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_0151AF9A GetUserNameW,
        Source: C:\Users\user\Desktop\Scan002.exe.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.596528786.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.303779219.00000000047B7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.313206635.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.302951058.0000000004491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.314650471.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.278150561.0000000004427000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.254700153.0000000003D97000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.314577877.00000000033B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.610027032.0000000006220000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.287850073.0000000002D11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6764, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Scan002.exe.exe PID: 4340, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Scan002.exe.exe PID: 4260, type: MEMORY
        Source: Yara matchFile source: 13.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.Scan002.exe.exe.6220000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.Scan002.exe.exe.6220000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: Scan002.exe.exe, 00000003.00000002.596528786.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: Scan002.exe.exe, 00000003.00000002.609798776.0000000005F80000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: Scan002.exe.exe, 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
        Source: Scan002.exe.exe, 0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: Scan002.exe.exe, 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: Scan002.exe.exe, 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
        Source: dhcpmon.exe, 0000001B.00000002.313206635.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000001B.00000002.314650471.00000000043B1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 0000001B.00000002.314650471.00000000043B1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.596528786.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.303779219.00000000047B7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.313206635.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.302951058.0000000004491000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.314650471.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.278150561.0000000004427000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.254700153.0000000003D97000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000002.314577877.00000000033B1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.610027032.0000000006220000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.287850073.0000000002D11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6764, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Scan002.exe.exe PID: 4340, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Scan002.exe.exe PID: 4260, type: MEMORY
        Source: Yara matchFile source: 13.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.Scan002.exe.exe.6220000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.Scan002.exe.exe.6220000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.Scan002.exe.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_03342B26 bind,
        Source: C:\Users\user\Desktop\Scan002.exe.exeCode function: 3_2_03342AF6 bind,

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScheduled Task/Job1Scheduled Task/Job1Access Token Manipulation1Masquerading2Input Capture21Security Software Discovery111Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection112Virtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection112LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information3Proc FilesystemFile and Directory Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing13/etc/passwd and /etc/shadowSystem Information Discovery13Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 338348 Sample: Scan002.exe.exe Startdate: 12/01/2021 Architecture: WINDOWS Score: 100 68 Multi AV Scanner detection for domain / URL 2->68 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 11 other signatures 2->74 9 Scan002.exe.exe 6 2->9         started        13 Scan002.exe.exe 4 2->13         started        15 dhcpmon.exe 2->15         started        17 dhcpmon.exe 3 2->17         started        process3 file4 58 C:\Users\user\AppData\...\UbebSiSIKndjd.exe, PE32 9->58 dropped 60 C:\Users\user\AppData\Local\...\tmp1945.tmp, XML 9->60 dropped 62 C:\Users\user\AppData\...\Scan002.exe.exe.log, ASCII 9->62 dropped 80 Injects a PE file into a foreign processes 9->80 19 Scan002.exe.exe 1 14 9->19         started        24 schtasks.exe 1 9->24         started        26 schtasks.exe 1 13->26         started        28 Scan002.exe.exe 2 13->28         started        signatures5 process6 dnsIp7 64 innocentbooii.hopto.org 172.111.249.15, 55420 AS45671-NET-AUWholesaleServicesProviderAU United States 19->64 66 192.168.2.1 unknown unknown 19->66 52 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->52 dropped 54 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 19->54 dropped 56 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->56 dropped 76 Protects its processes via BreakOnTermination flag 19->76 78 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->78 30 schtasks.exe 1 19->30         started        32 schtasks.exe 1 19->32         started        34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        file8 signatures9 process10 process11 38 conhost.exe 30->38         started        40 conhost.exe 32->40         started        42 schtasks.exe 36->42         started        44 dhcpmon.exe 36->44         started        46 dhcpmon.exe 36->46         started        48 dhcpmon.exe 36->48         started        process12 50 conhost.exe 42->50         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Scan002.exe.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\UbebSiSIKndjd.exe100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        3.2.Scan002.exe.exe.6220000.6.unpack100%AviraTR/NanoCore.fadteDownload File
        13.2.Scan002.exe.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        27.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.2.Scan002.exe.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        SourceDetectionScannerLabelLink
        innocentbooii.hopto.org8%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://www.fontbureau.comalsa0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/Y0Y/0%Avira URL Cloudsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.founder.com.cn/cnI0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/k/0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/N/0%Avira URL Cloudsafe
        http://www.founder.com.cn/cnorm0%Avira URL Cloudsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/Pogr0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.founder.com.cn/cne-di.0%Avira URL Cloudsafe
        http://www.urwpp.deod0%Avira URL Cloudsafe
        http://www.urwpp.de20%Avira URL Cloudsafe
        http://www.fontbureau.comN/0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.fontbureau.comFk/0%Avira URL Cloudsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/400%Avira URL Cloudsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.de0%URL Reputationsafe
        http://www.urwpp.de0%URL Reputationsafe
        http://www.urwpp.de0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.founder.com.cn/cnoftA.0%Avira URL Cloudsafe
        http://www.fontbureau.comalsd0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/G/0%Avira URL Cloudsafe
        http://www.fontbureau.comF0%URL Reputationsafe
        http://www.fontbureau.comF0%URL Reputationsafe
        http://www.fontbureau.comF0%URL Reputationsafe
        http://www.fontbureau.comcoma0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/Y0P0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
        http://www.fontbureau.coma0%URL Reputationsafe
        http://www.fontbureau.coma0%URL Reputationsafe
        http://www.fontbureau.coma0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.tiro.0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/0%URL Reputationsafe
        http://www.founder.com.cn/cn/0%URL Reputationsafe
        http://www.founder.com.cn/cn/0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/jp/k/0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn80%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.urwpp.dei0%Avira URL Cloudsafe
        http://www.fonts.com40%Avira URL Cloudsafe
        http://www.fontbureau.comTTFY/0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        innocentbooii.hopto.org
        		172.111.249.15
        		truetrueunknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.fontbureau.comalsaScan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.fontbureau.com/designersGScan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpfalse
          		high
          http://www.fontbureau.com/designers/?Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpfalse
            		high
            http://www.founder.com.cn/cn/bTheScan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers?Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpfalse
              		high
              http://www.jiyu-kobo.co.jp/Y0Y/Scan002.exe.exe, 00000000.00000003.231447812.0000000004EB6000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.tiro.comdhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.com/designersdhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpfalse
                		high
                http://www.goodfont.co.krScan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cnIScan002.exe.exe, 00000000.00000003.228230964.0000000004EBE000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jiyu-kobo.co.jp/k/Scan002.exe.exe, 00000000.00000003.231098088.0000000004EB5000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jiyu-kobo.co.jp/N/Scan002.exe.exe, 00000000.00000003.231280337.0000000004EB6000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.founder.com.cn/cnormScan002.exe.exe, 00000000.00000003.228156025.0000000004EB3000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.sajatypeworks.comScan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.typography.netDScan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cn/cTheScan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.jiyu-kobo.co.jp/PogrScan002.exe.exe, 00000000.00000003.231221602.0000000004EB6000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.galapagosdesign.com/staff/dennis.htmScan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://fontfabrik.comScan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000000.00000003.227051250.0000000004EED000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cne-di.Scan002.exe.exe, 00000000.00000003.228156025.0000000004EB3000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.urwpp.deodScan002.exe.exe, 00000000.00000003.232418765.0000000004ECF000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.urwpp.de2Scan002.exe.exe, 00000000.00000003.232418765.0000000004ECF000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.comN/Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.galapagosdesign.com/DPleaseScan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.comFk/Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fonts.comScan002.exe.exe, 00000000.00000003.226824848.0000000004EED000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpfalse
                  		high
                  http://www.sandoll.co.krScan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/40Scan002.exe.exe, 00000000.00000003.231221602.0000000004EB6000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.urwpp.deDPleaseScan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.urwpp.deScan002.exe.exe, 00000000.00000003.236674676.0000000004ECF000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.zhongyicts.com.cnScan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.sakkal.comScan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.founder.com.cn/cnoftA.Scan002.exe.exe, 00000000.00000003.228156025.0000000004EB3000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.com/designerssScan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.comalsdScan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/G/Scan002.exe.exe, 00000000.00000003.231098088.0000000004EB5000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.comScan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/frere-jones.htmlhScan002.exe.exe, 00000000.00000003.235619449.0000000004EC2000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.comFScan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comcomaScan002.exe.exe, 00000000.00000002.255981298.0000000004EB0000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/Y0PScan002.exe.exe, 00000000.00000003.231280337.0000000004EB6000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/jp/Scan002.exe.exe, 00000000.00000003.231447812.0000000004EB6000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comaScan002.exe.exe, 00000000.00000002.255981298.0000000004EB0000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.comlScan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.tiro.Scan002.exe.exe, 00000000.00000003.229248591.0000000004EB4000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.founder.com.cn/cn/Scan002.exe.exe, 00000000.00000003.229248591.0000000004EB4000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/cabarga.htmlNScan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cnScan002.exe.exe, 00000000.00000003.228394731.0000000004EC1000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/frere-jones.htmlScan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpfalse
                              		high
                              http://www.jiyu-kobo.co.jp/jp/k/Scan002.exe.exe, 00000000.00000003.231447812.0000000004EB6000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.founder.com.cn/cn8Scan002.exe.exe, 00000000.00000003.228156025.0000000004EB3000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/Scan002.exe.exe, 00000000.00000003.231098088.0000000004EB5000.00000004.00000001.sdmp, Scan002.exe.exe, 00000000.00000003.231221602.0000000004EB6000.00000004.00000001.sdmp, Scan002.exe.exe, 00000000.00000003.231280337.0000000004EB6000.00000004.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers8Scan002.exe.exe, 00000000.00000002.256151393.00000000050C0000.00000002.00000001.sdmp, Scan002.exe.exe, 00000008.00000002.278996252.00000000056E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.275007588.00000000054A0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.306107796.0000000005AF0000.00000002.00000001.sdmpfalse
                                		high
                                http://www.urwpp.deiScan002.exe.exe, 00000000.00000003.232418765.0000000004ECF000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fonts.com4Scan002.exe.exe, 00000000.00000003.226884104.0000000004EED000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designers/Scan002.exe.exe, 00000000.00000003.232966975.0000000004ECF000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.comTTFY/Scan002.exe.exe, 00000000.00000003.236366761.0000000004EB6000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown

                                  Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public

                                  IPDomainCountryFlagASNASN NameMalicious
                                  172.111.249.15
                                  		unknownUnited States
                                  		45671AS45671-NET-AUWholesaleServicesProviderAUtrue

                                  Private

                                  IP
                                  192.168.2.1

                                  General Information

                                  Joe Sandbox Version:31.0.0 Red Diamond
                                  Analysis ID:338348
                                  Start date:12.01.2021
                                  Start time:07:18:34
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 14m 36s
                                  Hypervisor based Inspection enabled:false
                                  Report type:light
                                  Sample file name:Scan002.exe.exe
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:40
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@29/12@6/2
                                  EGA Information:Failed
                                  HDC Information:Failed
                                  HCA Information:
                                  • Successful, ratio: 92%
                                  • Number of executed functions: 0
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Adjust boot time
                                  • Enable AMSI
                                  • Found application associated with file extension: .exe
                                  Warnings:
                                  Show All
                                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                  • Excluded IPs from analysis (whitelisted): 40.88.32.150, 13.88.21.125, 104.79.90.110, 51.104.139.180, 92.122.213.247, 92.122.213.194, 93.184.221.240, 51.103.5.186, 52.155.217.156, 20.54.26.129, 51.11.168.160
                                  • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, wu.azureedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, wu.ec.azureedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net
                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  07:19:29API Interceptor1267x Sleep call for process: Scan002.exe.exe modified
                                  07:19:35Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\Scan002.exe.exe" s>$(Arg0)
                                  07:19:38Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                                  07:19:39AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  07:19:40API Interceptor3x Sleep call for process: dhcpmon.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  innocentbooii.hopto.orgFile.exeGet hashmaliciousBrowse
                                  • 194.5.98.108
                                  SWB copy.exeGet hashmaliciousBrowse
                                  • 194.5.98.108
                                  0LGpT3WYf1.exeGet hashmaliciousBrowse
                                  • 154.120.96.115

                                  ASN

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  AS45671-NET-AUWholesaleServicesProviderAUhttp://s3-eu-west-1.amazonaws.com/hjdpjni/ogbim#qs=r-acacaeeikdgeadkieeefjaehbihabababaefahcaccajbiackdcagfkbkacbGet hashmaliciousBrowse
                                  • 203.26.196.25
                                  Check.vbsGet hashmaliciousBrowse
                                  • 27.50.75.62
                                  ano.exeGet hashmaliciousBrowse
                                  • 27.50.80.18
                                  jbs.exeGet hashmaliciousBrowse
                                  • 221.121.151.3
                                  https://noosahealth.com/vnotice/w9k6dnqb128gjgj9oklfih2f.php?MTYwMTU2MDcyMGYwN2NlMDllN2Q1NTNlNWU1ODcwZGM1N2RhOWQ1ZWFkNDNiZTIxZTUxNGRkYjQ0MzNmNDNlNTRlNDgzMzI1YzM5NGZhODY4ZA==&data=a2lhbWV0dGlAY29leHBhbi5jb20=Get hashmaliciousBrowse
                                  • 103.13.103.135
                                  https://rgmgalaxy.com/cgi/?email=cgarcia@dataxu.comGet hashmaliciousBrowse
                                  • 180.92.196.41
                                  https://bnet.alpha-fem.com/rt/dmZpYWxsb3NAYmFjZmxvcmlkYS5jb20=Get hashmaliciousBrowse
                                  • 45.74.14.19
                                  ali.exeGet hashmaliciousBrowse
                                  • 27.50.80.18
                                  CZP44EvQFN.docGet hashmaliciousBrowse
                                  • 118.127.60.139
                                  svPo783mk8.docGet hashmaliciousBrowse
                                  • 118.127.60.139
                                  9NLNYxPRWg.docGet hashmaliciousBrowse
                                  • 118.127.60.139
                                  gN7CiLPI2w.docGet hashmaliciousBrowse
                                  • 118.127.60.139
                                  b8X9P4f011.docGet hashmaliciousBrowse
                                  • 118.127.60.139
                                  lRxIRaWSZK.docGet hashmaliciousBrowse
                                  • 118.127.60.139
                                  T08KQuKIgs.docGet hashmaliciousBrowse
                                  • 118.127.60.139
                                  GhM6Zmi4U1.docGet hashmaliciousBrowse
                                  • 118.127.60.139
                                  mhaoMky8ES.docGet hashmaliciousBrowse
                                  • 118.127.60.139
                                  LApPQ8KJHO.docGet hashmaliciousBrowse
                                  • 118.127.60.139
                                  Sv5mt8dv9I.docGet hashmaliciousBrowse
                                  • 118.127.60.139
                                  BIri1a275h.docGet hashmaliciousBrowse
                                  • 118.127.60.139

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  Process:C:\Users\user\Desktop\Scan002.exe.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):910848
                                  Entropy (8bit):7.69470592663904
                                  Encrypted:false
                                  SSDEEP:12288:YMbCszXQrmZDevwQoqqj7h8tT8kqfbPVdhZu9TitgOLdKYy02UB+4zgl:DbCszXvvcwXh5gYK3029Ag
                                  MD5:8E2315D05C47FEFDDDF0A686BF9E353E
                                  SHA1:E56FE197D61518B5EA20696677C3FB444E39860E
                                  SHA-256:DD647E98E0BD3B1627A0385970C38CD046883967F39DBF9FE416D5300E8E310A
                                  SHA-512:D052FADFE382F2910992677F65BFDD1C5CDABD50837925B6B5EA14038026EC49E30112DE25D3E88A78CE832CEE7D79AE66A0821C2570276C12FBCAD2676050CC
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_............................N.... ........@.. .......................@............@.....................................K............................ ....................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................0.......H.......................t{..8............................................0............o.... ...._ ..........,.....8.....o....t..... . &.......o.....o....(........o......o.......o.....o....Z.Z..................(........+E......X.Y........,.+*......X.....X.....X........X......X.l.Z.....X.......i......-........(.......o........+...*^..}.....(.......(.....*.0...........s......o.......(.....*.".(.....*....0...........s......o.......(.....*..0..+.........,..{.......+....,...{....o
                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                  Process:C:\Users\user\Desktop\Scan002.exe.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):26
                                  Entropy (8bit):3.95006375643621
                                  Encrypted:false
                                  SSDEEP:3:ggPYV:rPYV
                                  MD5:187F488E27DB4AF347237FE461A079AD
                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                  Malicious:true
                                  Preview: [ZoneTransfer]....ZoneId=0
                                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Scan002.exe.exe.log
                                  Process:C:\Users\user\Desktop\Scan002.exe.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):525
                                  Entropy (8bit):5.2874233355119316
                                  Encrypted:false
                                  SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                  MD5:61CCF53571C9ABA6511D696CB0D32E45
                                  SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                  SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                  SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                  Malicious:true
                                  Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):525
                                  Entropy (8bit):5.2874233355119316
                                  Encrypted:false
                                  SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                  MD5:61CCF53571C9ABA6511D696CB0D32E45
                                  SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                  SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                  SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                  Malicious:false
                                  Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                  C:\Users\user\AppData\Local\Temp\tmp1945.tmp
                                  Process:C:\Users\user\Desktop\Scan002.exe.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1662
                                  Entropy (8bit):5.1728135789612715
                                  Encrypted:false
                                  SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBJtn:cbhH7MlNQ8/rydbz9I3YODOLNdq39
                                  MD5:AA28189D75A160986C9DDF1DE1CBD68C
                                  SHA1:5C5EA1B0C1CA0BDEB33320AABD86BA464E4D432B
                                  SHA-256:845906543657D1AB101D9B1819DF5CFF158C8F397F7506FEEC42891CD78A1A1B
                                  SHA-512:5DBB5CB20838D719F0B3532AE5DBAD235F78BC0DE8954783FB98344218D06083BAB808E29363C9901973FFDAF746FE06ACE3CF29D1CCEB623A94245DDE4FBB53
                                  Malicious:true
                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv
                                  C:\Users\user\AppData\Local\Temp\tmp414F.tmp
                                  Process:C:\Users\user\Desktop\Scan002.exe.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1662
                                  Entropy (8bit):5.1728135789612715
                                  Encrypted:false
                                  SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBJtn:cbhH7MlNQ8/rydbz9I3YODOLNdq39
                                  MD5:AA28189D75A160986C9DDF1DE1CBD68C
                                  SHA1:5C5EA1B0C1CA0BDEB33320AABD86BA464E4D432B
                                  SHA-256:845906543657D1AB101D9B1819DF5CFF158C8F397F7506FEEC42891CD78A1A1B
                                  SHA-512:5DBB5CB20838D719F0B3532AE5DBAD235F78BC0DE8954783FB98344218D06083BAB808E29363C9901973FFDAF746FE06ACE3CF29D1CCEB623A94245DDE4FBB53
                                  Malicious:false
                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv
                                  C:\Users\user\AppData\Local\Temp\tmp65AF.tmp
                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1662
                                  Entropy (8bit):5.1728135789612715
                                  Encrypted:false
                                  SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBJtn:cbhH7MlNQ8/rydbz9I3YODOLNdq39
                                  MD5:AA28189D75A160986C9DDF1DE1CBD68C
                                  SHA1:5C5EA1B0C1CA0BDEB33320AABD86BA464E4D432B
                                  SHA-256:845906543657D1AB101D9B1819DF5CFF158C8F397F7506FEEC42891CD78A1A1B
                                  SHA-512:5DBB5CB20838D719F0B3532AE5DBAD235F78BC0DE8954783FB98344218D06083BAB808E29363C9901973FFDAF746FE06ACE3CF29D1CCEB623A94245DDE4FBB53
                                  Malicious:false
                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv
                                  C:\Users\user\AppData\Local\Temp\tmp8ED7.tmp
                                  Process:C:\Users\user\Desktop\Scan002.exe.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1305
                                  Entropy (8bit):5.096557144339906
                                  Encrypted:false
                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0XExtn:cbk4oL600QydbQxIYODOLedq3hj
                                  MD5:29C2992183264E85915470135EDB70C9
                                  SHA1:AE42A898163FDDD286F9CC036789BDEE76BBCA79
                                  SHA-256:BAEE5F35FF81D3654E18E7356CAEE7D51CD198CAB7DD368E8D5FF5C408CA2BCC
                                  SHA-512:C28C9C8D86D1A38915AC69E50183319DE9F08ACCBB576933B2F68C9FE7F925ADF4B031733279E9B7C7791890FA2701235D3DF6915A47A26879D5EC3910A26F8C
                                  Malicious:false
                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                  C:\Users\user\AppData\Local\Temp\tmp91C6.tmp
                                  Process:C:\Users\user\Desktop\Scan002.exe.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:modified
                                  Size (bytes):1310
                                  Entropy (8bit):5.109425792877704
                                  Encrypted:false
                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                  MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                  SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                  SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                  SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                  Malicious:false
                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                  Process:C:\Users\user\Desktop\Scan002.exe.exe
                                  File Type:ISO-8859 text, with CR line terminators
                                  Category:dropped
                                  Size (bytes):8
                                  Entropy (8bit):3.0
                                  Encrypted:false
                                  SSDEEP:3:hat:hat
                                  MD5:2C91F0DF6F187C76EADD8473749B5E06
                                  SHA1:C5D523419059FC3AC148A041E7DCC3EAB4500677
                                  SHA-256:A20F2288309FC1823C655409F922A077422D2DCD0BDF75104064B8A97177180E
                                  SHA-512:E207A7B37E5B154F0C44D5506DDC62BDC1FA5FF19676549174F581DF6141EAE512DE559ABA585815A9418533A296352DD2B3089C9E0B32AAFF506FDAACE33057
                                  Malicious:true
                                  Preview: ...w...H
                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                  Process:C:\Users\user\Desktop\Scan002.exe.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):42
                                  Entropy (8bit):4.162520173864397
                                  Encrypted:false
                                  SSDEEP:3:oN0naRR2GiAIN:oNcSR2DAI
                                  MD5:5A95A542025A94567015BC5FB4638686
                                  SHA1:65939CC89B4611F466E62AA799325B72ED12FD71
                                  SHA-256:0D4F4D965CB445119C1A5D9266593A1081C4E97E3403905366B98ADC9D7709F7
                                  SHA-512:EE0A17A0DC7F4D3A815CBC4BA873E5661D7C51A6788CBBCDB5EF01415EC18EBED4740AE9839B704201EECC4B4FC1D6B2DF1D7EC1A1BA4346A386BE0D0BA7E40D
                                  Malicious:false
                                  Preview: C:\Users\user\Desktop\Scan002.exe.exe
                                  C:\Users\user\AppData\Roaming\UbebSiSIKndjd.exe
                                  Process:C:\Users\user\Desktop\Scan002.exe.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):910848
                                  Entropy (8bit):7.69470592663904
                                  Encrypted:false
                                  SSDEEP:12288:YMbCszXQrmZDevwQoqqj7h8tT8kqfbPVdhZu9TitgOLdKYy02UB+4zgl:DbCszXvvcwXh5gYK3029Ag
                                  MD5:8E2315D05C47FEFDDDF0A686BF9E353E
                                  SHA1:E56FE197D61518B5EA20696677C3FB444E39860E
                                  SHA-256:DD647E98E0BD3B1627A0385970C38CD046883967F39DBF9FE416D5300E8E310A
                                  SHA-512:D052FADFE382F2910992677F65BFDD1C5CDABD50837925B6B5EA14038026EC49E30112DE25D3E88A78CE832CEE7D79AE66A0821C2570276C12FBCAD2676050CC
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_............................N.... ........@.. .......................@............@.....................................K............................ ....................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................0.......H.......................t{..8............................................0............o.... ...._ ..........,.....8.....o....t..... . &.......o.....o....(........o......o.......o.....o....Z.Z..................(........+E......X.Y........,.+*......X.....X.....X........X......X.l.Z.....X.......i......-........(.......o........+...*^..}.....(.......(.....*.0...........s......o.......(.....*.".(.....*....0...........s......o.......(.....*..0..+.........,..{.......+....,...{....o

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):7.69470592663904
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                  • Win32 Executable (generic) a (10002005/4) 49.97%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  • DOS Executable Generic (2002/1) 0.01%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:Scan002.exe.exe
                                  File size:910848
                                  MD5:8e2315d05c47fefdddf0a686bf9e353e
                                  SHA1:e56fe197d61518b5ea20696677c3fb444e39860e
                                  SHA256:dd647e98e0bd3b1627a0385970c38cd046883967f39dbf9fe416d5300e8e310a
                                  SHA512:d052fadfe382f2910992677f65bfdd1c5cdabd50837925b6b5ea14038026ec49e30112de25d3e88a78ce832cee7d79ae66a0821c2570276c12fbcad2676050cc
                                  SSDEEP:12288:YMbCszXQrmZDevwQoqqj7h8tT8kqfbPVdhZu9TitgOLdKYy02UB+4zgl:DbCszXvvcwXh5gYK3029Ag
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_............................N.... ........@.. .......................@............@................................

                                  File Icon

                                  Icon Hash:00828e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0x4df84e
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                  Time Stamp:0x5FFCCC88 [Mon Jan 11 22:09:12 2021 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:v2.0.50727
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xdf8000x4b.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xe00000x800.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xe20000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000xdd8540xdda00False0.822365869994data7.70309811015IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                  .rsrc0xe00000x8000x800False0.3330078125data3.49807917331IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0xe20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_VERSION0xe00900x388data
                                  RT_MANIFEST0xe04280x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Version Infos

                                  DescriptionData
                                  Translation0x0000 0x04b0
                                  LegalCopyrightCopyright Overwolf 2011 - 2020
                                  Assembly Version2.159.0.0
                                  InternalNameQ.exe
                                  FileVersion2.159.0.0
                                  CompanyNameOverwolf Ltd.
                                  LegalTrademarks
                                  CommentsOverwolf Launcher
                                  ProductNameOverwolfLauncher
                                  ProductVersion2.159.0.0
                                  FileDescriptionOverwolfLauncher
                                  OriginalFilenameQ.exe

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jan 12, 2021 07:19:40.595899105 CET4972755420192.168.2.7172.111.249.15
                                  Jan 12, 2021 07:19:43.684853077 CET4972755420192.168.2.7172.111.249.15
                                  Jan 12, 2021 07:19:49.721853018 CET4972755420192.168.2.7172.111.249.15
                                  Jan 12, 2021 07:19:58.445087910 CET4973455420192.168.2.7172.111.249.15
                                  Jan 12, 2021 07:20:01.500910044 CET4973455420192.168.2.7172.111.249.15
                                  Jan 12, 2021 07:20:07.499305010 CET4973455420192.168.2.7172.111.249.15
                                  Jan 12, 2021 07:20:15.415180922 CET4973855420192.168.2.7172.111.249.15
                                  Jan 12, 2021 07:20:18.515856981 CET4973855420192.168.2.7172.111.249.15
                                  Jan 12, 2021 07:20:24.516421080 CET4973855420192.168.2.7172.111.249.15
                                  Jan 12, 2021 07:20:34.534430981 CET4975555420192.168.2.7172.111.249.15
                                  Jan 12, 2021 07:20:37.564301014 CET4975555420192.168.2.7172.111.249.15
                                  Jan 12, 2021 07:20:43.580476046 CET4975555420192.168.2.7172.111.249.15
                                  Jan 12, 2021 07:20:52.333379030 CET4975655420192.168.2.7172.111.249.15
                                  Jan 12, 2021 07:20:55.347028017 CET4975655420192.168.2.7172.111.249.15
                                  Jan 12, 2021 07:21:01.347537994 CET4975655420192.168.2.7172.111.249.15
                                  Jan 12, 2021 07:21:09.444519997 CET4975955420192.168.2.7172.111.249.15
                                  Jan 12, 2021 07:21:12.457886934 CET4975955420192.168.2.7172.111.249.15
                                  Jan 12, 2021 07:21:18.474034071 CET4975955420192.168.2.7172.111.249.15
                                  Jan 12, 2021 07:21:26.655808926 CET4976055420192.168.2.7172.111.249.15
                                  Jan 12, 2021 07:21:29.662377119 CET4976055420192.168.2.7172.111.249.15
                                  Jan 12, 2021 07:21:35.678492069 CET4976055420192.168.2.7172.111.249.15
                                  Jan 12, 2021 07:21:46.271538019 CET4976155420192.168.2.7172.111.249.15
                                  Jan 12, 2021 07:21:49.273406982 CET4976155420192.168.2.7172.111.249.15
                                  Jan 12, 2021 07:21:55.275988102 CET4976155420192.168.2.7172.111.249.15
                                  Jan 12, 2021 07:22:07.603441954 CET4976255420192.168.2.7172.111.249.15
                                  Jan 12, 2021 07:22:10.614824057 CET4976255420192.168.2.7172.111.249.15
                                  Jan 12, 2021 07:22:16.646604061 CET4976255420192.168.2.7172.111.249.15

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jan 12, 2021 07:19:18.152117968 CET5432953192.168.2.78.8.8.8
                                  Jan 12, 2021 07:19:18.200064898 CET53543298.8.8.8192.168.2.7
                                  Jan 12, 2021 07:19:18.964063883 CET5805253192.168.2.78.8.8.8
                                  Jan 12, 2021 07:19:19.011945009 CET53580528.8.8.8192.168.2.7
                                  Jan 12, 2021 07:19:19.881375074 CET5400853192.168.2.78.8.8.8
                                  Jan 12, 2021 07:19:19.937824965 CET53540088.8.8.8192.168.2.7
                                  Jan 12, 2021 07:19:21.058495998 CET5945153192.168.2.78.8.8.8
                                  Jan 12, 2021 07:19:21.106384993 CET53594518.8.8.8192.168.2.7
                                  Jan 12, 2021 07:19:22.325422049 CET5291453192.168.2.78.8.8.8
                                  Jan 12, 2021 07:19:22.373280048 CET53529148.8.8.8192.168.2.7
                                  Jan 12, 2021 07:19:23.213429928 CET6456953192.168.2.78.8.8.8
                                  Jan 12, 2021 07:19:23.264168024 CET53645698.8.8.8192.168.2.7
                                  Jan 12, 2021 07:19:24.256078005 CET5281653192.168.2.78.8.8.8
                                  Jan 12, 2021 07:19:24.304791927 CET53528168.8.8.8192.168.2.7
                                  Jan 12, 2021 07:19:26.286309004 CET5078153192.168.2.78.8.8.8
                                  Jan 12, 2021 07:19:26.342607975 CET53507818.8.8.8192.168.2.7
                                  Jan 12, 2021 07:19:27.442418098 CET5423053192.168.2.78.8.8.8
                                  Jan 12, 2021 07:19:27.490415096 CET53542308.8.8.8192.168.2.7
                                  Jan 12, 2021 07:19:28.286562920 CET5491153192.168.2.78.8.8.8
                                  Jan 12, 2021 07:19:28.337373018 CET53549118.8.8.8192.168.2.7
                                  Jan 12, 2021 07:19:29.390938044 CET4995853192.168.2.78.8.8.8
                                  Jan 12, 2021 07:19:29.438986063 CET53499588.8.8.8192.168.2.7
                                  Jan 12, 2021 07:19:30.754242897 CET5086053192.168.2.78.8.8.8
                                  Jan 12, 2021 07:19:30.802162886 CET53508608.8.8.8192.168.2.7
                                  Jan 12, 2021 07:19:35.108879089 CET5045253192.168.2.78.8.8.8
                                  Jan 12, 2021 07:19:35.160171986 CET53504528.8.8.8192.168.2.7
                                  Jan 12, 2021 07:19:37.243352890 CET5973053192.168.2.78.8.8.8
                                  Jan 12, 2021 07:19:37.302474976 CET53597308.8.8.8192.168.2.7
                                  Jan 12, 2021 07:19:40.520523071 CET5931053192.168.2.78.8.8.8
                                  Jan 12, 2021 07:19:40.580750942 CET53593108.8.8.8192.168.2.7
                                  Jan 12, 2021 07:19:40.851744890 CET5191953192.168.2.78.8.8.8
                                  Jan 12, 2021 07:19:40.902472019 CET53519198.8.8.8192.168.2.7
                                  Jan 12, 2021 07:19:42.807303905 CET6429653192.168.2.78.8.8.8
                                  Jan 12, 2021 07:19:42.868114948 CET53642968.8.8.8192.168.2.7
                                  Jan 12, 2021 07:19:48.744684935 CET5668053192.168.2.78.8.8.8
                                  Jan 12, 2021 07:19:48.792726040 CET53566808.8.8.8192.168.2.7
                                  Jan 12, 2021 07:19:54.854744911 CET5882053192.168.2.78.8.8.8
                                  Jan 12, 2021 07:19:54.915824890 CET53588208.8.8.8192.168.2.7
                                  Jan 12, 2021 07:19:58.382730007 CET6098353192.168.2.78.8.8.8
                                  Jan 12, 2021 07:19:58.441404104 CET53609838.8.8.8192.168.2.7
                                  Jan 12, 2021 07:20:06.797521114 CET4924753192.168.2.78.8.8.8
                                  Jan 12, 2021 07:20:06.857518911 CET53492478.8.8.8192.168.2.7
                                  Jan 12, 2021 07:20:07.473124981 CET5228653192.168.2.78.8.8.8
                                  Jan 12, 2021 07:20:07.529843092 CET53522868.8.8.8192.168.2.7
                                  Jan 12, 2021 07:20:10.751045942 CET5606453192.168.2.78.8.8.8
                                  Jan 12, 2021 07:20:10.811461926 CET53560648.8.8.8192.168.2.7
                                  Jan 12, 2021 07:20:15.331238031 CET6374453192.168.2.78.8.8.8
                                  Jan 12, 2021 07:20:15.387641907 CET53637448.8.8.8192.168.2.7
                                  Jan 12, 2021 07:20:18.836529016 CET6145753192.168.2.78.8.8.8
                                  Jan 12, 2021 07:20:18.921111107 CET53614578.8.8.8192.168.2.7
                                  Jan 12, 2021 07:20:19.487760067 CET5836753192.168.2.78.8.8.8
                                  Jan 12, 2021 07:20:20.192961931 CET6059953192.168.2.78.8.8.8
                                  Jan 12, 2021 07:20:20.263411999 CET53605998.8.8.8192.168.2.7
                                  Jan 12, 2021 07:20:20.547858953 CET5836753192.168.2.78.8.8.8
                                  Jan 12, 2021 07:20:20.604576111 CET53583678.8.8.8192.168.2.7
                                  Jan 12, 2021 07:20:21.196160078 CET5957153192.168.2.78.8.8.8
                                  Jan 12, 2021 07:20:21.252669096 CET53595718.8.8.8192.168.2.7
                                  Jan 12, 2021 07:20:21.264338017 CET5268953192.168.2.78.8.8.8
                                  Jan 12, 2021 07:20:21.321696043 CET53526898.8.8.8192.168.2.7
                                  Jan 12, 2021 07:20:21.808481932 CET5029053192.168.2.78.8.8.8
                                  Jan 12, 2021 07:20:21.856370926 CET53502908.8.8.8192.168.2.7
                                  Jan 12, 2021 07:20:22.473449945 CET6042753192.168.2.78.8.8.8
                                  Jan 12, 2021 07:20:22.521362066 CET53604278.8.8.8192.168.2.7
                                  Jan 12, 2021 07:20:23.164798021 CET5620953192.168.2.78.8.8.8
                                  Jan 12, 2021 07:20:23.215529919 CET53562098.8.8.8192.168.2.7
                                  Jan 12, 2021 07:20:24.170682907 CET5958253192.168.2.78.8.8.8
                                  Jan 12, 2021 07:20:24.227459908 CET53595828.8.8.8192.168.2.7
                                  Jan 12, 2021 07:20:25.426131964 CET6094953192.168.2.78.8.8.8
                                  Jan 12, 2021 07:20:25.484685898 CET53609498.8.8.8192.168.2.7
                                  Jan 12, 2021 07:20:26.502346992 CET5854253192.168.2.78.8.8.8
                                  Jan 12, 2021 07:20:26.561548948 CET53585428.8.8.8192.168.2.7
                                  Jan 12, 2021 07:20:27.169562101 CET5917953192.168.2.78.8.8.8
                                  Jan 12, 2021 07:20:27.225817919 CET53591798.8.8.8192.168.2.7
                                  Jan 12, 2021 07:20:53.947197914 CET6092753192.168.2.78.8.8.8
                                  Jan 12, 2021 07:20:53.998007059 CET53609278.8.8.8192.168.2.7
                                  Jan 12, 2021 07:20:55.887434006 CET5785453192.168.2.78.8.8.8
                                  Jan 12, 2021 07:20:55.947515965 CET53578548.8.8.8192.168.2.7
                                  Jan 12, 2021 07:21:26.595901966 CET6202653192.168.2.78.8.8.8
                                  Jan 12, 2021 07:21:26.653759003 CET53620268.8.8.8192.168.2.7
                                  Jan 12, 2021 07:21:46.213160992 CET5945353192.168.2.78.8.8.8
                                  Jan 12, 2021 07:21:46.269490004 CET53594538.8.8.8192.168.2.7
                                  Jan 12, 2021 07:22:07.541016102 CET6246853192.168.2.78.8.8.8
                                  Jan 12, 2021 07:22:07.599673986 CET53624688.8.8.8192.168.2.7

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                  Jan 12, 2021 07:19:40.520523071 CET192.168.2.78.8.8.80x3f71Standard query (0)innocentbooii.hopto.orgA (IP address)IN (0x0001)
                                  Jan 12, 2021 07:19:58.382730007 CET192.168.2.78.8.8.80x4a9bStandard query (0)innocentbooii.hopto.orgA (IP address)IN (0x0001)
                                  Jan 12, 2021 07:20:15.331238031 CET192.168.2.78.8.8.80x241bStandard query (0)innocentbooii.hopto.orgA (IP address)IN (0x0001)
                                  Jan 12, 2021 07:21:26.595901966 CET192.168.2.78.8.8.80xf9bbStandard query (0)innocentbooii.hopto.orgA (IP address)IN (0x0001)
                                  Jan 12, 2021 07:21:46.213160992 CET192.168.2.78.8.8.80x3240Standard query (0)innocentbooii.hopto.orgA (IP address)IN (0x0001)
                                  Jan 12, 2021 07:22:07.541016102 CET192.168.2.78.8.8.80xcfe2Standard query (0)innocentbooii.hopto.orgA (IP address)IN (0x0001)

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                  Jan 12, 2021 07:19:40.580750942 CET8.8.8.8192.168.2.70x3f71No error (0)innocentbooii.hopto.org172.111.249.15A (IP address)IN (0x0001)
                                  Jan 12, 2021 07:19:58.441404104 CET8.8.8.8192.168.2.70x4a9bNo error (0)innocentbooii.hopto.org172.111.249.15A (IP address)IN (0x0001)
                                  Jan 12, 2021 07:20:15.387641907 CET8.8.8.8192.168.2.70x241bNo error (0)innocentbooii.hopto.org172.111.249.15A (IP address)IN (0x0001)
                                  Jan 12, 2021 07:21:26.653759003 CET8.8.8.8192.168.2.70xf9bbNo error (0)innocentbooii.hopto.org172.111.249.15A (IP address)IN (0x0001)
                                  Jan 12, 2021 07:21:46.269490004 CET8.8.8.8192.168.2.70x3240No error (0)innocentbooii.hopto.org172.111.249.15A (IP address)IN (0x0001)
                                  Jan 12, 2021 07:22:07.599673986 CET8.8.8.8192.168.2.70xcfe2No error (0)innocentbooii.hopto.org172.111.249.15A (IP address)IN (0x0001)

                                  Code Manipulations

                                  Statistics

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  Analysis Process: Scan002.exe.exe PID: 2960 Parent PID: 5600

                                  General

                                  Start time:07:19:21
                                  Start date:12/01/2021
                                  Path:C:\Users\user\Desktop\Scan002.exe.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Users\user\Desktop\Scan002.exe.exe'
                                  Imagebase:0x320000
                                  File size:910848 bytes
                                  MD5 hash:8E2315D05C47FEFDDDF0A686BF9E353E
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.254700153.0000000003D97000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.254700153.0000000003D97000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.254700153.0000000003D97000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Reputation:low

                                  Analysis Process: schtasks.exe PID: 4564 Parent PID: 2960

                                  General

                                  Start time:07:19:32
                                  Start date:12/01/2021
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1945.tmp'
                                  Imagebase:0x12a0000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: conhost.exe PID: 5348 Parent PID: 4564

                                  General

                                  Start time:07:19:32
                                  Start date:12/01/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff774ee0000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: Scan002.exe.exe PID: 4340 Parent PID: 2960

                                  General

                                  Start time:07:19:33
                                  Start date:12/01/2021
                                  Path:C:\Users\user\Desktop\Scan002.exe.exe
                                  Wow64 process (32bit):true
                                  Commandline:{path}
                                  Imagebase:0xd30000
                                  File size:910848 bytes
                                  MD5 hash:8E2315D05C47FEFDDDF0A686BF9E353E
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.596528786.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.596528786.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.596528786.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.609798776.0000000005F80000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.609798776.0000000005F80000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.607959083.0000000004717000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.609917775.00000000060D0000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.609917775.00000000060D0000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.610027032.0000000006220000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.610027032.0000000006220000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.610027032.0000000006220000.00000004.00000001.sdmp, Author: Joe Security
                                  Reputation:low

                                  Analysis Process: schtasks.exe PID: 4260 Parent PID: 4340

                                  General

                                  Start time:07:19:34
                                  Start date:12/01/2021
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8ED7.tmp'
                                  Imagebase:0x12a0000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: conhost.exe PID: 5412 Parent PID: 4260

                                  General

                                  Start time:07:19:35
                                  Start date:12/01/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff774ee0000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: schtasks.exe PID: 976 Parent PID: 4340

                                  General

                                  Start time:07:19:35
                                  Start date:12/01/2021
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp91C6.tmp'
                                  Imagebase:0x12a0000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: conhost.exe PID: 4812 Parent PID: 976

                                  General

                                  Start time:07:19:35
                                  Start date:12/01/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff774ee0000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: Scan002.exe.exe PID: 204 Parent PID: 1104

                                  General

                                  Start time:07:19:36
                                  Start date:12/01/2021
                                  Path:C:\Users\user\Desktop\Scan002.exe.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\Desktop\Scan002.exe.exe 0
                                  Imagebase:0xa00000
                                  File size:910848 bytes
                                  MD5 hash:8E2315D05C47FEFDDDF0A686BF9E353E
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.278150561.0000000004427000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.278150561.0000000004427000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.278150561.0000000004427000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Reputation:low

                                  Analysis Process: dhcpmon.exe PID: 5396 Parent PID: 1104

                                  General

                                  Start time:07:19:39
                                  Start date:12/01/2021
                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                  Imagebase:0x7a0000
                                  File size:910848 bytes
                                  MD5 hash:8E2315D05C47FEFDDDF0A686BF9E353E
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.274234683.0000000004167000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.270860826.0000000002E41000.00000004.00000001.sdmp, Author: Joe Security
                                  Antivirus matches:
                                  • Detection: 100%, Joe Sandbox ML
                                  Reputation:low

                                  Analysis Process: schtasks.exe PID: 5876 Parent PID: 204

                                  General

                                  Start time:07:19:42
                                  Start date:12/01/2021
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp414F.tmp'
                                  Imagebase:0x12a0000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: conhost.exe PID: 2160 Parent PID: 5876

                                  General

                                  Start time:07:19:43
                                  Start date:12/01/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff774ee0000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: Scan002.exe.exe PID: 4260 Parent PID: 204

                                  General

                                  Start time:07:19:43
                                  Start date:12/01/2021
                                  Path:C:\Users\user\Desktop\Scan002.exe.exe
                                  Wow64 process (32bit):true
                                  Commandline:{path}
                                  Imagebase:0x660000
                                  File size:910848 bytes
                                  MD5 hash:8E2315D05C47FEFDDDF0A686BF9E353E
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.286646772.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.287923771.0000000003D11000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.287850073.0000000002D11000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.287850073.0000000002D11000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Reputation:low

                                  Analysis Process: dhcpmon.exe PID: 2160 Parent PID: 3292

                                  General

                                  Start time:07:19:47
                                  Start date:12/01/2021
                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                  Imagebase:0xe10000
                                  File size:910848 bytes
                                  MD5 hash:8E2315D05C47FEFDDDF0A686BF9E353E
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.303779219.00000000047B7000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.303779219.00000000047B7000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.303779219.00000000047B7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.302951058.0000000004491000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.302951058.0000000004491000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.302951058.0000000004491000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Reputation:low

                                  Analysis Process: schtasks.exe PID: 6608 Parent PID: 2160

                                  General

                                  Start time:07:19:52
                                  Start date:12/01/2021
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UbebSiSIKndjd' /XML 'C:\Users\user\AppData\Local\Temp\tmp65AF.tmp'
                                  Imagebase:0x12a0000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: conhost.exe PID: 6644 Parent PID: 6608

                                  General

                                  Start time:07:19:52
                                  Start date:12/01/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff774ee0000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language

                                  Analysis Process: dhcpmon.exe PID: 6712 Parent PID: 2160

                                  General

                                  Start time:07:19:53
                                  Start date:12/01/2021
                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  Wow64 process (32bit):false
                                  Commandline:{path}
                                  Imagebase:0x130000
                                  File size:910848 bytes
                                  MD5 hash:8E2315D05C47FEFDDDF0A686BF9E353E
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language

                                  Analysis Process: dhcpmon.exe PID: 6744 Parent PID: 2160

                                  General

                                  Start time:07:19:53
                                  Start date:12/01/2021
                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  Wow64 process (32bit):false
                                  Commandline:{path}
                                  Imagebase:0x3f0000
                                  File size:910848 bytes
                                  MD5 hash:8E2315D05C47FEFDDDF0A686BF9E353E
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language

                                  Analysis Process: dhcpmon.exe PID: 6764 Parent PID: 2160

                                  General

                                  Start time:07:19:54
                                  Start date:12/01/2021
                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  Wow64 process (32bit):true
                                  Commandline:{path}
                                  Imagebase:0xb90000
                                  File size:910848 bytes
                                  MD5 hash:8E2315D05C47FEFDDDF0A686BF9E353E
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000002.313206635.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.313206635.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.313206635.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.314650471.00000000043B1000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.314650471.00000000043B1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.314577877.00000000033B1000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.314577877.00000000033B1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                                  Disassembly

                                  Code Analysis

                                  Reset < >