Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report CHEQUE COPY RECEIPT.exe

Overview

General Information

Sample Name:CHEQUE COPY RECEIPT.exe
Analysis ID:355858
MD5:403180100f3d966d4ea44c84d039a6d0
SHA1:4b1af3fd502ad953024cb152c5a6d472fd0307c7
SHA256:18ca07a540dbd6da66851f88c11ad7683486e33f5c2512fe5c4837c44f8f4bc3
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • CHEQUE COPY RECEIPT.exe (PID: 3888 cmdline: 'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe' MD5: 403180100F3D966D4EA44C84D039A6D0)
    • CHEQUE COPY RECEIPT.exe (PID: 3060 cmdline: 'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe' MD5: 403180100F3D966D4EA44C84D039A6D0)
      • schtasks.exe (PID: 4616 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE682.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5856 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpEA6B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • CHEQUE COPY RECEIPT.exe (PID: 5364 cmdline: 'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe' 0 MD5: 403180100F3D966D4EA44C84D039A6D0)
    • CHEQUE COPY RECEIPT.exe (PID: 1060 cmdline: 'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe' 0 MD5: 403180100F3D966D4EA44C84D039A6D0)
  • dhcpmon.exe (PID: 5312 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 403180100F3D966D4EA44C84D039A6D0)
  • dhcpmon.exe (PID: 6316 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 403180100F3D966D4EA44C84D039A6D0)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "bed38ea9-13ae-4999-bfd6-9ec5f9de3405", "Group": "Default", "Domain1": "chinomso.duckdns.org", "Domain2": "chinomso.duckdns.org", "Port": 7688, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "chinomso.duckdns.org", "BackupDNSServer": "chinomso.duckdns.org", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x111e5:$x1: NanoCore.ClientPluginHost
  • 0x11222:$x2: IClientNetworkHost
  • 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x10f4d:$a: NanoCore
    • 0x10f5d:$a: NanoCore
    • 0x11191:$a: NanoCore
    • 0x111a5:$a: NanoCore
    • 0x111e5:$a: NanoCore
    • 0x10fac:$b: ClientPlugin
    • 0x111ae:$b: ClientPlugin
    • 0x111ee:$b: ClientPlugin
    • 0x110d3:$c: ProjectData
    • 0x11ada:$d: DESCrypto
    • 0x194a6:$e: KeepAlive
    • 0x17494:$g: LogClientMessage
    • 0x1368f:$i: get_Connected
    • 0x11e10:$j: #=q
    • 0x11e40:$j: #=q
    • 0x11e5c:$j: #=q
    • 0x11e8c:$j: #=q
    • 0x11ea8:$j: #=q
    • 0x11ec4:$j: #=q
    • 0x11ef4:$j: #=q
    • 0x11f10:$j: #=q
    0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x43195:$a: NanoCore
      • 0x431ee:$a: NanoCore
      • 0x4322b:$a: NanoCore
      • 0x432a4:$a: NanoCore
      • 0x5694f:$a: NanoCore
      • 0x56964:$a: NanoCore
      • 0x56999:$a: NanoCore
      • 0x6f95b:$a: NanoCore
      • 0x6f970:$a: NanoCore
      • 0x6f9a5:$a: NanoCore
      • 0x431f7:$b: ClientPlugin
      • 0x43234:$b: ClientPlugin
      • 0x43b32:$b: ClientPlugin
      • 0x43b3f:$b: ClientPlugin
      • 0x5670b:$b: ClientPlugin
      • 0x56726:$b: ClientPlugin
      • 0x56756:$b: ClientPlugin
      • 0x5696d:$b: ClientPlugin
      • 0x569a2:$b: ClientPlugin
      • 0x6f717:$b: ClientPlugin
      • 0x6f732:$b: ClientPlugin
      Click to see the 63 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xd9ad:$x1: NanoCore.ClientPluginHost
      • 0xd9da:$x2: IClientNetworkHost
      1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xd9ad:$x2: NanoCore.ClientPluginHost
      • 0xea88:$s4: PipeCreated
      • 0xd9c7:$s5: IClientLoggingHost
      1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1d9e5:$x1: NanoCore.ClientPluginHost
        • 0x1da22:$x2: IClientNetworkHost
        • 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0x1d75d:$x1: NanoCore Client.exe
        • 0x1d9e5:$x2: NanoCore.ClientPluginHost
        • 0x1f01e:$s1: PluginCommand
        • 0x1f012:$s2: FileCommand
        • 0x1fec3:$s3: PipeExists
        • 0x25c7a:$s4: PipeCreated
        • 0x1da0f:$s5: IClientLoggingHost
        Click to see the 170 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe, ProcessId: 3060, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE682.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE682.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe' , ParentImage: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe, ParentProcessId: 3060, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE682.tmp', ProcessId: 4616

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "bed38ea9-13ae-4999-bfd6-9ec5f9de3405", "Group": "Default", "Domain1": "chinomso.duckdns.org", "Domain2": "chinomso.duckdns.org", "Port": 7688, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "chinomso.duckdns.org", "BackupDNSServer": "chinomso.duckdns.org", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for domain / URLShow sources
        Source: chinomso.duckdns.orgVirustotal: Detection: 8%Perma Link
        Source: chinomso.duckdns.orgVirustotal: Detection: 8%Perma Link
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 25%
        Source: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllReversingLabs: Detection: 14%
        Multi AV Scanner detection for submitted fileShow sources
        Source: CHEQUE COPY RECEIPT.exeVirustotal: Detection: 40%Perma Link
        Source: CHEQUE COPY RECEIPT.exeReversingLabs: Detection: 25%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000001.258907957.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282659839.00000000022A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.284708133.0000000004E32000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.501234563.0000000002442000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282730831.00000000032A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.504663155.0000000003563000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282508013.00000000006AD000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.501596655.00000000024D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 5364, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3888, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3060, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 1060, type: MEMORY
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.3570821.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.5774629.13.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.3327815.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.331e3b6.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: CHEQUE COPY RECEIPT.exeJoe Sandbox ML: detected
        Source: 1.1.CHEQUE COPY RECEIPT.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.1.CHEQUE COPY RECEIPT.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.unpackAvira: Label: TR/NanoCore.fadte
        Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

        Compliance:

        barindex
        Detected unpacking (creates a PE file in dynamic memory)Show sources
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeUnpacked PE file: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeUnpacked PE file: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeUnpacked PE file: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack
        Uses 32bit PE filesShow sources
        Source: CHEQUE COPY RECEIPT.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
        Source: CHEQUE COPY RECEIPT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Binary contains paths to debug symbolsShow sources
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbneutral, PublicKeyToken=b77a5c561934e089" /> source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp
        Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.499581962.0000000000822000.00000004.00000020.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp
        Source: Binary string: wntdll.pdbUGP source: CHEQUE COPY RECEIPT.exe, 00000000.00000003.234086186.0000000002A80000.00000004.00000001.sdmp, CHEQUE COPY RECEIPT.exe, 00000009.00000003.252668286.0000000002C00000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: CHEQUE COPY RECEIPT.exe, 00000000.00000003.234086186.0000000002A80000.00000004.00000001.sdmp, CHEQUE COPY RECEIPT.exe, 00000009.00000003.252668286.0000000002C00000.00000004.00000001.sdmp
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 0_2_004065C1 FindFirstFileA,FindClose,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 0_2_004027A1 FindFirstFileA,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 1_2_00404A29 FindFirstFileExW,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_004065C1 FindFirstFileA,FindClose,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_004027A1 FindFirstFileA,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 12_2_00404A29 FindFirstFileExW,

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49719 -> 185.150.24.55:7688
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49723 -> 185.150.24.55:7688
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49726 -> 185.150.24.55:7688
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49727 -> 185.150.24.55:7688
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49728 -> 185.150.24.55:7688
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49731 -> 185.150.24.55:7688
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49734 -> 185.150.24.55:7688
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49739 -> 185.150.24.55:7688
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49740 -> 185.150.24.55:7688
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49741 -> 185.150.24.55:7688
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49743 -> 185.150.24.55:7688
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49746 -> 185.150.24.55:7688
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49747 -> 185.150.24.55:7688
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49748 -> 185.150.24.55:7688
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49749 -> 185.150.24.55:7688
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49750 -> 185.150.24.55:7688
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49751 -> 185.150.24.55:7688
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: chinomso.duckdns.org
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: chinomso.duckdns.org
        Source: global trafficTCP traffic: 192.168.2.5:49719 -> 185.150.24.55:7688
        Source: Joe Sandbox ViewIP Address: 185.150.24.55 185.150.24.55
        Source: Joe Sandbox ViewASN Name: SKYLINKNL SKYLINKNL
        Source: unknownDNS traffic detected: queries for: chinomso.duckdns.org
        Source: CHEQUE COPY RECEIPT.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
        Source: CHEQUE COPY RECEIPT.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 0_2_004054B2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,
        Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000001.258907957.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282659839.00000000022A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.284708133.0000000004E32000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.501234563.0000000002442000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282730831.00000000032A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.504663155.0000000003563000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282508013.00000000006AD000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.501596655.00000000024D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 5364, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3888, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3060, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 1060, type: MEMORY
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.3570821.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.5774629.13.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.3327815.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.331e3b6.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.282706630.00000000022F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000001.258907957.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000001.258907957.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.284708133.0000000004E32000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.284708133.0000000004E32000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.501234563.0000000002442000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.501234563.0000000002442000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.282730831.00000000032A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.282730831.00000000032A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.508321305.0000000005640000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.282508013.00000000006AD000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.282508013.00000000006AD000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 5364, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 5364, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3888, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3888, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3060, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3060, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 1060, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 1060, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.CHEQUE COPY RECEIPT.exe.3570821.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.CHEQUE COPY RECEIPT.exe.22ccc70.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.CHEQUE COPY RECEIPT.exe.5774629.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.CHEQUE COPY RECEIPT.exe.3327815.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.CHEQUE COPY RECEIPT.exe.230ba34.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.CHEQUE COPY RECEIPT.exe.24fca54.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.CHEQUE COPY RECEIPT.exe.331e3b6.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.CHEQUE COPY RECEIPT.exe.331e3b6.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.CHEQUE COPY RECEIPT.exe.5640000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 0_2_00407272
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 0_2_00406A9B
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 0_2_73CA1A98
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 1_2_0040A2A5
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 1_2_022CE471
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 1_2_022CE480
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 1_2_022CBBD4
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 1_2_0505F5F8
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 1_2_05059788
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 1_2_0505A610
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 9_2_73351A98
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00407272
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00406A9B
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 12_2_0040A2A5
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 12_2_04D6E480
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 12_2_04D6E471
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 12_2_04D6E47B
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 12_2_04D6BBD4
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 12_2_0506F5F8
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 12_2_05069788
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 12_2_0506A610
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: String function: 00401ED0 appears 46 times
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: String function: 0040569E appears 36 times
        Source: CHEQUE COPY RECEIPT.exe, 00000000.00000003.234516407.0000000002D2F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs CHEQUE COPY RECEIPT.exe
        Source: CHEQUE COPY RECEIPT.exe, 00000000.00000002.240855923.0000000002390000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs CHEQUE COPY RECEIPT.exe
        Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs CHEQUE COPY RECEIPT.exe
        Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs CHEQUE COPY RECEIPT.exe
        Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.509100019.0000000006510000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs CHEQUE COPY RECEIPT.exe
        Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.508122820.00000000050E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs CHEQUE COPY RECEIPT.exe
        Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.508333536.0000000005660000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs CHEQUE COPY RECEIPT.exe
        Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.508321305.0000000005640000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs CHEQUE COPY RECEIPT.exe
        Source: CHEQUE COPY RECEIPT.exe, 00000009.00000003.254700874.0000000002D1F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs CHEQUE COPY RECEIPT.exe
        Source: CHEQUE COPY RECEIPT.exe, 00000009.00000002.270382228.00000000028E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs CHEQUE COPY RECEIPT.exe
        Source: CHEQUE COPY RECEIPT.exe, 0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs CHEQUE COPY RECEIPT.exe
        Source: CHEQUE COPY RECEIPT.exe, 0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs CHEQUE COPY RECEIPT.exe
        Source: CHEQUE COPY RECEIPT.exe, 0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs CHEQUE COPY RECEIPT.exe
        Source: CHEQUE COPY RECEIPT.exe, 0000000C.00000002.285299150.0000000005200000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs CHEQUE COPY RECEIPT.exe
        Source: CHEQUE COPY RECEIPT.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: 00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000C.00000002.282706630.00000000022F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000001.258907957.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000001.258907957.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.284708133.0000000004E32000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.284708133.0000000004E32000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.501234563.0000000002442000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.501234563.0000000002442000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.282730831.00000000032A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.282730831.00000000032A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.508321305.0000000005640000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.508321305.0000000005640000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000C.00000002.282508013.00000000006AD000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.282508013.00000000006AD000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 5364, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 5364, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3888, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3888, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3060, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3060, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 1060, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 1060, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.CHEQUE COPY RECEIPT.exe.3570821.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.3570821.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.22ccc70.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.22ccc70.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.CHEQUE COPY RECEIPT.exe.5774629.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.5774629.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.CHEQUE COPY RECEIPT.exe.3327815.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.3327815.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.230ba34.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.230ba34.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.24fca54.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.24fca54.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.CHEQUE COPY RECEIPT.exe.331e3b6.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.331e3b6.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.331e3b6.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.5640000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.5640000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@14/18@17/2
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 0_2_00404763 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 0_2_100041FD CreateToolhelp32Snapshot,Process32FirstW,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 1_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6068:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4600:120:WilError_01
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{bed38ea9-13ae-4999-bfd6-9ec5f9de3405}
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeFile created: C:\Users\user\AppData\Local\Temp\nsmD23E.tmpJump to behavior
        Source: CHEQUE COPY RECEIPT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: CHEQUE COPY RECEIPT.exeVirustotal: Detection: 40%
        Source: CHEQUE COPY RECEIPT.exeReversingLabs: Detection: 25%
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeFile read: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe 'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe 'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE682.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpEA6B.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe 'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe' 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: unknownProcess created: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe 'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe' 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess created: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe 'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe'
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE682.tmp'
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpEA6B.tmp'
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess created: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe 'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe' 0
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: CHEQUE COPY RECEIPT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbneutral, PublicKeyToken=b77a5c561934e089" /> source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp
        Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.499581962.0000000000822000.00000004.00000020.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp
        Source: Binary string: wntdll.pdbUGP source: CHEQUE COPY RECEIPT.exe, 00000000.00000003.234086186.0000000002A80000.00000004.00000001.sdmp, CHEQUE COPY RECEIPT.exe, 00000009.00000003.252668286.0000000002C00000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: CHEQUE COPY RECEIPT.exe, 00000000.00000003.234086186.0000000002A80000.00000004.00000001.sdmp, CHEQUE COPY RECEIPT.exe, 00000009.00000003.252668286.0000000002C00000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        Detected unpacking (changes PE section rights)Show sources
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeUnpacked PE file: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeUnpacked PE file: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
        Detected unpacking (creates a PE file in dynamic memory)Show sources
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeUnpacked PE file: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeUnpacked PE file: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeUnpacked PE file: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack
        .NET source code contains potential unpackerShow sources
        Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 0_2_73CA1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 0_2_73CA2F60 push eax; ret
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 1_2_00401F16 push ecx; ret
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 1_2_05057648 push eax; iretd
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 9_2_73352F60 push eax; ret
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 12_2_00401F16 push ecx; ret
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 12_2_05067648 push eax; iretd
        Source: initial sampleStatic PE information: section name: .data entropy: 7.66089605527
        Source: initial sampleStatic PE information: section name: .data entropy: 7.66089605527
        Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeFile created: C:\Users\user\AppData\Local\Temp\nsfF3F1.tmp\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeFile created: C:\Users\user\AppData\Local\Temp\nscD29E.tmp\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeFile created: C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dllJump to dropped file
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE682.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeFile opened: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeWindow / User API: threadDelayed 5075
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeWindow / User API: threadDelayed 4232
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeWindow / User API: foregroundWindowGot 857
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe TID: 4828Thread sleep time: -21213755684765971s >= -30000s
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe TID: 6244Thread sleep count: 43 > 30
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe TID: 6224Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 0_2_004065C1 FindFirstFileA,FindClose,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 0_2_004027A1 FindFirstFileA,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 1_2_00404A29 FindFirstFileExW,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_004065C1 FindFirstFileA,FindClose,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_004027A1 FindFirstFileA,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 12_2_00404A29 FindFirstFileExW,
        Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.509100019.0000000006510000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.499581962.0000000000822000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt"V)6H
        Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.509100019.0000000006510000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.509100019.0000000006510000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.509100019.0000000006510000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 0_2_73CA1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 0_2_10004564 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 0_2_10004767 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 1_2_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 9_2_10004564 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 9_2_10004767 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 12_2_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 1_2_004067FE GetProcessHeap,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 1_2_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 1_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 1_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 12_2_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 12_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 12_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 12_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Maps a DLL or memory area into another processShow sources
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeSection loaded: unknown target: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe protection: execute and read and write
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeSection loaded: unknown target: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe protection: execute and read and write
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess created: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe 'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe'
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE682.tmp'
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpEA6B.tmp'
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeProcess created: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe 'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe' 0
        Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.508603579.00000000058CD000.00000004.00000001.sdmpBinary or memory string: Program Manager4:
        Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.503747370.0000000002938000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.500015497.0000000000D70000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.499532247.0000000000D10000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.499521748.0000000000CF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.500015497.0000000000D70000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.499532247.0000000000D10000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.499521748.0000000000CF0000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.500015497.0000000000D70000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.499532247.0000000000D10000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.499521748.0000000000CF0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
        Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.500015497.0000000000D70000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.499532247.0000000000D10000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.499521748.0000000000CF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
        Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.500015497.0000000000D70000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.499532247.0000000000D10000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.499521748.0000000000CF0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.508936051.0000000005D8C000.00000004.00000001.sdmpBinary or memory string: Program Manager4
        Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.503553723.00000000028DD000.00000004.00000001.sdmpBinary or memory string: Program ManagerHa
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 1_2_0040208D cpuid
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 1_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeCode function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
        Source: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000001.258907957.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282659839.00000000022A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.284708133.0000000004E32000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.501234563.0000000002442000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282730831.00000000032A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.504663155.0000000003563000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282508013.00000000006AD000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.501596655.00000000024D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 5364, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3888, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3060, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 1060, type: MEMORY
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.3570821.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.5774629.13.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.3327815.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.331e3b6.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: CHEQUE COPY RECEIPT.exe, 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: CHEQUE COPY RECEIPT.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: CHEQUE COPY RECEIPT.exe, 00000001.00000002.508321305.0000000005640000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: CHEQUE COPY RECEIPT.exe, 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: CHEQUE COPY RECEIPT.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: CHEQUE COPY RECEIPT.exe, 0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000001.258907957.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282659839.00000000022A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.284708133.0000000004E32000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.501234563.0000000002442000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282730831.00000000032A1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.504663155.0000000003563000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282508013.00000000006AD000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.501596655.00000000024D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 5364, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3888, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 3060, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY RECEIPT.exe PID: 1060, type: MEMORY
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.3570821.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CHEQUE COPY RECEIPT.exe.2a30000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.7b3278.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.5774629.13.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.3327815.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.CHEQUE COPY RECEIPT.exe.2a31458.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.47c0000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.32a5530.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.356c1f8.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.1.CHEQUE COPY RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.6b4140.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.331e3b6.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.CHEQUE COPY RECEIPT.exe.2a41458.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.CHEQUE COPY RECEIPT.exe.33231ec.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.5770000.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY RECEIPT.exe.22e0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.CHEQUE COPY RECEIPT.exe.2a20000.5.raw.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsNative API1Scheduled Task/Job1Access Token Manipulation1Disable or Modify Tools1Input Capture11System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
        Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsProcess Injection112Deobfuscate/Decode Files or Information11LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information3Security Account ManagerSystem Information Discovery25SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing42NTDSSecurity Software Discovery131Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsVirtualization/Sandbox Evasion3SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion3Cached Domain CredentialsProcess Discovery3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 355858 Sample: CHEQUE COPY RECEIPT.exe Startdate: 22/02/2021 Architecture: WINDOWS Score: 100 50 chinomso.duckdns.org 2->50 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Multi AV Scanner detection for domain / URL 2->58 60 Found malware configuration 2->60 62 16 other signatures 2->62 9 CHEQUE COPY RECEIPT.exe 19 2->9         started        13 CHEQUE COPY RECEIPT.exe 17 2->13         started        15 dhcpmon.exe 9 2->15         started        17 dhcpmon.exe 9 2->17         started        signatures3 process4 file5 44 C:\Users\user\AppData\Local\...\System.dll, PE32 9->44 dropped 66 Maps a DLL or memory area into another process 9->66 19 CHEQUE COPY RECEIPT.exe 1 13 9->19         started        46 C:\Users\user\AppData\...\9mqal9z8w5l9du.dll, PE32 13->46 dropped 48 C:\Users\user\AppData\Local\...\System.dll, PE32 13->48 dropped 24 CHEQUE COPY RECEIPT.exe 3 13->24         started        signatures6 process7 dnsIp8 52 chinomso.duckdns.org 185.150.24.55, 49719, 49723, 49726 SKYLINKNL Netherlands 19->52 54 192.168.2.1 unknown unknown 19->54 34 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->34 dropped 36 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 19->36 dropped 38 C:\Users\user\AppData\Local\...\tmpE682.tmp, XML 19->38 dropped 40 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->40 dropped 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->64 26 schtasks.exe 1 19->26         started        28 schtasks.exe 1 19->28         started        42 C:\Users\user\...\CHEQUE COPY RECEIPT.exe.log, ASCII 24->42 dropped file9 signatures10 process11 process12 30 conhost.exe 26->30         started        32 conhost.exe 28->32         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        CHEQUE COPY RECEIPT.exe40%VirustotalBrowse
        CHEQUE COPY RECEIPT.exe25%ReversingLabs
        CHEQUE COPY RECEIPT.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe25%ReversingLabs
        C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dll15%ReversingLabsWin32.Trojan.Generic
        C:\Users\user\AppData\Local\Temp\nscD29E.tmp\System.dll0%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\nscD29E.tmp\System.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\nsfF3F1.tmp\System.dll0%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\nsfF3F1.tmp\System.dll0%ReversingLabs

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        1.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        1.2.CHEQUE COPY RECEIPT.exe.2440000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        1.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.1.CHEQUE COPY RECEIPT.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        1.2.CHEQUE COPY RECEIPT.exe.5770000.12.unpack100%AviraTR/NanoCore.fadteDownload File
        12.2.CHEQUE COPY RECEIPT.exe.4e30000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.2.CHEQUE COPY RECEIPT.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        SourceDetectionScannerLabelLink
        chinomso.duckdns.org8%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        chinomso.duckdns.org8%VirustotalBrowse
        chinomso.duckdns.org0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        chinomso.duckdns.org
        		185.150.24.55
        		truetrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        chinomso.duckdns.orgtrue
        • 8%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://nsis.sf.net/NSIS_ErrorCHEQUE COPY RECEIPT.exefalse
          		high
          http://nsis.sf.net/NSIS_ErrorErrorCHEQUE COPY RECEIPT.exefalse
            		high

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            185.150.24.55
            		unknownNetherlands
            		44592SKYLINKNLtrue

            Private

            IP
            192.168.2.1

            General Information

            Joe Sandbox Version:31.0.0 Emerald
            Analysis ID:355858
            Start date:22.02.2021
            Start time:08:16:38
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 10m 47s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:CHEQUE COPY RECEIPT.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:30
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@14/18@17/2
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 13.7% (good quality ratio 13%)
            • Quality average: 81.9%
            • Quality standard deviation: 27.8%
            HCA Information:
            • Successful, ratio: 85%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
            • TCP Packets have been reduced to 100
            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 104.43.139.144, 92.122.145.220, 40.88.32.150, 13.88.21.125, 184.30.24.56, 51.104.139.180, 205.185.216.42, 205.185.216.10, 51.103.5.159, 92.122.213.194, 92.122.213.247, 20.54.26.129
            • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, vip1-par02p.wns.notify.trafficmanager.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net
            • Report size exceeded maximum capacity and may have missing behavior information.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            08:17:36API Interceptor1003x Sleep call for process: CHEQUE COPY RECEIPT.exe modified
            08:17:37Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe" s>$(Arg0)
            08:17:38Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
            08:17:38AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            185.150.24.55CHEQUE COPY.exeGet hashmaliciousBrowse
              CHEQUE COPY.jarGet hashmaliciousBrowse
                PAYMENT COPY RECEIPT.exeGet hashmaliciousBrowse
                  FeDEx TRACKING DETAILS.exeGet hashmaliciousBrowse
                    FeDEx TRACKING DETAILS.exeGet hashmaliciousBrowse
                      FedEx TRACKING DETAILS.exeGet hashmaliciousBrowse
                        TNT TRACKING DETAILS.exeGet hashmaliciousBrowse
                          TNT TRACKING DETAILS.exeGet hashmaliciousBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            chinomso.duckdns.orgCHEQUE COPY.exeGet hashmaliciousBrowse
                            • 185.150.24.55
                            PAYMENT COPY RECEIPT.exeGet hashmaliciousBrowse
                            • 185.150.24.55
                            Shiping Doc BL.exeGet hashmaliciousBrowse
                            • 194.5.98.157
                            Shiping Doc BL.exeGet hashmaliciousBrowse
                            • 194.5.98.157
                            Shiping Doc BL.exeGet hashmaliciousBrowse
                            • 194.5.98.157
                            Shiping Doc BL.exeGet hashmaliciousBrowse
                            • 194.5.98.157
                            Shiping Doc BL.exeGet hashmaliciousBrowse
                            • 194.5.98.157
                            Shiping Doc BL.exeGet hashmaliciousBrowse
                            • 194.5.98.157
                            DHL AWB TRACKING DETAIL.exeGet hashmaliciousBrowse
                            • 194.5.98.56
                            odou7cg844.exeGet hashmaliciousBrowse
                            • 129.205.124.145
                            DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                            • 185.244.30.86
                            AWB RECEIPT.exeGet hashmaliciousBrowse
                            • 129.205.124.132
                            TNT AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                            • 129.205.113.246
                            DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                            • 197.210.227.36
                            DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                            • 185.244.30.39
                            TNT AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                            • 129.205.124.140
                            DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                            • 197.210.85.85
                            DHL AWB TRACKING DETAIILS.exeGet hashmaliciousBrowse
                            • 185.244.30.39
                            39Quot.exeGet hashmaliciousBrowse
                            • 185.165.153.35

                            ASN

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            SKYLINKNLCHEQUE COPY.exeGet hashmaliciousBrowse
                            • 185.150.24.55
                            Quotation-3276.PDF.exeGet hashmaliciousBrowse
                            • 185.150.24.44
                            CHEQUE COPY.jarGet hashmaliciousBrowse
                            • 185.150.24.55
                            MRC20201030XMY, pdf.exeGet hashmaliciousBrowse
                            • 185.150.24.6
                            PAYMENT COPY RECEIPT.exeGet hashmaliciousBrowse
                            • 185.150.24.55
                            FeDEx TRACKING DETAILS.exeGet hashmaliciousBrowse
                            • 185.150.24.55
                            FeDEx TRACKING DETAILS.exeGet hashmaliciousBrowse
                            • 185.150.24.55
                            FedEx TRACKING DETAILS.exeGet hashmaliciousBrowse
                            • 185.150.24.55
                            TNT TRACKING DETAILS.exeGet hashmaliciousBrowse
                            • 185.150.24.55
                            TNT TRACKING DETAILS.exeGet hashmaliciousBrowse
                            • 185.150.24.55
                            QUOTATION 20 10 2020.exeGet hashmaliciousBrowse
                            • 185.150.24.48
                            NEW PO638363483.exeGet hashmaliciousBrowse
                            • 185.150.24.9
                            NEW PO6487382.exeGet hashmaliciousBrowse
                            • 185.150.24.9

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            C:\Users\user\AppData\Local\Temp\nscD29E.tmp\System.dllRemittance copy.xlsxGet hashmaliciousBrowse
                              CI + PL.xlsxGet hashmaliciousBrowse
                                RFQ_Enquiry_0002379_.xlsxGet hashmaliciousBrowse
                                  QUOTATION.exeGet hashmaliciousBrowse
                                    AgroAG008021921doc_pdf.exeGet hashmaliciousBrowse
                                      CHEQUE COPY.exeGet hashmaliciousBrowse
                                        Bank Details.exeGet hashmaliciousBrowse
                                          Re-QUOTATION.exeGet hashmaliciousBrowse
                                            shed.exeGet hashmaliciousBrowse
                                              purchase order.exeGet hashmaliciousBrowse
                                                QUOTATION_PDF_SCAN_COPY.exeGet hashmaliciousBrowse
                                                  DHL Shipment Notification 7465649870,pdf.exeGet hashmaliciousBrowse
                                                    Firm Order.exeGet hashmaliciousBrowse
                                                      Documents_pdf.exeGet hashmaliciousBrowse
                                                        QUOTATION.exeGet hashmaliciousBrowse
                                                          banka bilgisi.exeGet hashmaliciousBrowse
                                                            MV TEAL BULKERS.xlsxGet hashmaliciousBrowse
                                                              ForeignRemittance_20210219_USD.xlsxGet hashmaliciousBrowse
                                                                HBL VRNA00872.xlsxGet hashmaliciousBrowse
                                                                  statement.xlsxGet hashmaliciousBrowse

                                                                    Created / dropped Files

                                                                    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                    Process:C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                    Category:dropped
                                                                    Size (bytes):332470
                                                                    Entropy (8bit):7.947810553618582
                                                                    Encrypted:false
                                                                    SSDEEP:6144:y11QYLAKZReuEow82wBH6T6Evt4W6cUq5Aj+h3dDIge:GLAKZ8uPTBHW6C2DqCjOVIge
                                                                    MD5:403180100F3D966D4EA44C84D039A6D0
                                                                    SHA1:4B1AF3FD502AD953024CB152C5A6D472FD0307C7
                                                                    SHA-256:18CA07A540DBD6DA66851F88C11AD7683486E33F5C2512FE5C4837C44F8F4BC3
                                                                    SHA-512:1F6AB19D8B0F69BF7C4F9917966B6D6D818148D8FC10ABC1D03B6F08F82C5C59EF449961E9D4055FA691854A216C3EA276ED659739D509A12A38CE6AC2C3640D
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: ReversingLabs, Detection: 25%
                                                                    Reputation:low
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L..._.$_.................f...x.......4............@.......................................@.................................D........................................................................................................................text....e.......f.................. ..`.rdata...............j..............@..@.data...XU...........~..............@....ndata...................................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                                                    Process:C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):26
                                                                    Entropy (8bit):3.95006375643621
                                                                    Encrypted:false
                                                                    SSDEEP:3:ggPYV:rPYV
                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                    Malicious:true
                                                                    Reputation:high, very likely benign file
                                                                    Preview: [ZoneTransfer]....ZoneId=0
                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CHEQUE COPY RECEIPT.exe.log
                                                                    Process:C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1216
                                                                    Entropy (8bit):5.355304211458859
                                                                    Encrypted:false
                                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                                    MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                                    SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                                    SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                                    SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                                    Malicious:true
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                    C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dll
                                                                    Process:C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
                                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):11264
                                                                    Entropy (8bit):6.85576811002407
                                                                    Encrypted:false
                                                                    SSDEEP:192:zkIRjWfxhSuP+Oi/+2UNgPQ3XBVCsobJdeS/1+jzpGI9F+YM+G:hjorGbqNNxmdeS/CzpR75Z
                                                                    MD5:524D2FC0515E13C4101D1BAA1BAC0B33
                                                                    SHA1:2F035F68B3E69295B2AA664F5A87AF3EEF7D0779
                                                                    SHA-256:6EF18EA8431521E2D1720FB2634BE322628C95873A91BDBAA656C2031FD591B4
                                                                    SHA-512:033F2367E1C848E87B3C6A4A0E6BF926EB429CEDD7FDC3F0F5C1F48CD0ACCCD74452127F2C54C64C2804496D020A8EC85C0C74859212516FF7BF30D593FAEB6D
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 15%
                                                                    Reputation:low
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C..e-K.e-K.e-K.e,K.e-KI..K.e-K...K.e-K...K.e-K...K.e-K...K.e-KRich.e-K........PE..L....F3`...........!.........$............... ...............................`.......................................$..I.... .......P............................................................................... ...............................text...F........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........P.......*..............@..@................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\nscD29E.tmp\System.dll
                                                                    Process:C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):11776
                                                                    Entropy (8bit):5.855045165595541
                                                                    Encrypted:false
                                                                    SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                                                    MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                                                    SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                                                    SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                                                    SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Joe Sandbox View:
                                                                    • Filename: Remittance copy.xlsx, Detection: malicious, Browse
                                                                    • Filename: CI + PL.xlsx, Detection: malicious, Browse
                                                                    • Filename: RFQ_Enquiry_0002379_.xlsx, Detection: malicious, Browse
                                                                    • Filename: QUOTATION.exe, Detection: malicious, Browse
                                                                    • Filename: AgroAG008021921doc_pdf.exe, Detection: malicious, Browse
                                                                    • Filename: CHEQUE COPY.exe, Detection: malicious, Browse
                                                                    • Filename: Bank Details.exe, Detection: malicious, Browse
                                                                    • Filename: Re-QUOTATION.exe, Detection: malicious, Browse
                                                                    • Filename: shed.exe, Detection: malicious, Browse
                                                                    • Filename: purchase order.exe, Detection: malicious, Browse
                                                                    • Filename: QUOTATION_PDF_SCAN_COPY.exe, Detection: malicious, Browse
                                                                    • Filename: DHL Shipment Notification 7465649870,pdf.exe, Detection: malicious, Browse
                                                                    • Filename: Firm Order.exe, Detection: malicious, Browse
                                                                    • Filename: Documents_pdf.exe, Detection: malicious, Browse
                                                                    • Filename: QUOTATION.exe, Detection: malicious, Browse
                                                                    • Filename: banka bilgisi.exe, Detection: malicious, Browse
                                                                    • Filename: MV TEAL BULKERS.xlsx, Detection: malicious, Browse
                                                                    • Filename: ForeignRemittance_20210219_USD.xlsx, Detection: malicious, Browse
                                                                    • Filename: HBL VRNA00872.xlsx, Detection: malicious, Browse
                                                                    • Filename: statement.xlsx, Detection: malicious, Browse
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\nsfF3F1.tmp\System.dll
                                                                    Process:C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):11776
                                                                    Entropy (8bit):5.855045165595541
                                                                    Encrypted:false
                                                                    SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                                                    MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                                                    SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                                                    SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                                                    SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\nsmD23F.tmp
                                                                    Process:C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):305602
                                                                    Entropy (8bit):7.945679989464754
                                                                    Encrypted:false
                                                                    SSDEEP:6144:91PFuEow02wJHCT6EvtcW6SUq5AD+h3jIgQt:jduPZJHu6CmtqCDOzjE
                                                                    MD5:BAFB51AF8D8FF08D01E2C763A5CDC87D
                                                                    SHA1:026DC8B1A11688CC135AF98FB4EFE7CD95743955
                                                                    SHA-256:FB17C53CF1546570005A12AB4F3B38FBF6D5E9E54732D97C4BC9FEB40ED0D21D
                                                                    SHA-512:F140BDE9F8763F29CFB102F7ACE92DC75C961DBC9FC9833E2ED8A66585F962A5327B5043D7D77C8A49E8E6950D3FFA63A0979CF5C105D4741D4F73955B88857E
                                                                    Malicious:false
                                                                    Preview: ........,...................$...............................................................................................................................................................................................................................................................J...............(...j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\nsqF603.tmp
                                                                    Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):21764
                                                                    Entropy (8bit):6.882198527361556
                                                                    Encrypted:false
                                                                    SSDEEP:384:9BjorGbqNNxmdeS/CzpR75Zf4Vhbpds1zm/eHgyF:9Crmqx4eS/Krl54VhFEgyF
                                                                    MD5:C3EE4DAA11E8DE8826566576CD5E1F6C
                                                                    SHA1:880EF4E0E5EA3EA3EF5C115E5E159C02CFA54FCA
                                                                    SHA-256:D643061A0EF3D42B1B7AD8B00A677C5A431E19FDEFCEC9BCD1D52BA225ACBF87
                                                                    SHA-512:2DCDBA8FD8F8A06F3F0AAD2C5799DC6E8F34D958DC7BC7D1FBD2E36C12ED8B81E544AFA449353B0878B3902BC1A0C99620DECD999C726709F8FE7D901CD9B9D3
                                                                    Malicious:false
                                                                    Preview: ........,...................$...............................................................................................................................................................................................................................................................J...............(...j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\nsu1979.tmp
                                                                    Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):21764
                                                                    Entropy (8bit):6.882198527361556
                                                                    Encrypted:false
                                                                    SSDEEP:384:9BjorGbqNNxmdeS/CzpR75Zf4Vhbpds1zm/eHgyF:9Crmqx4eS/Krl54VhFEgyF
                                                                    MD5:C3EE4DAA11E8DE8826566576CD5E1F6C
                                                                    SHA1:880EF4E0E5EA3EA3EF5C115E5E159C02CFA54FCA
                                                                    SHA-256:D643061A0EF3D42B1B7AD8B00A677C5A431E19FDEFCEC9BCD1D52BA225ACBF87
                                                                    SHA-512:2DCDBA8FD8F8A06F3F0AAD2C5799DC6E8F34D958DC7BC7D1FBD2E36C12ED8B81E544AFA449353B0878B3902BC1A0C99620DECD999C726709F8FE7D901CD9B9D3
                                                                    Malicious:false
                                                                    Preview: ........,...................$...............................................................................................................................................................................................................................................................J...............(...j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\nsvF3B2.tmp
                                                                    Process:C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):305602
                                                                    Entropy (8bit):7.945679989464754
                                                                    Encrypted:false
                                                                    SSDEEP:6144:91PFuEow02wJHCT6EvtcW6SUq5AD+h3jIgQt:jduPZJHu6CmtqCDOzjE
                                                                    MD5:BAFB51AF8D8FF08D01E2C763A5CDC87D
                                                                    SHA1:026DC8B1A11688CC135AF98FB4EFE7CD95743955
                                                                    SHA-256:FB17C53CF1546570005A12AB4F3B38FBF6D5E9E54732D97C4BC9FEB40ED0D21D
                                                                    SHA-512:F140BDE9F8763F29CFB102F7ACE92DC75C961DBC9FC9833E2ED8A66585F962A5327B5043D7D77C8A49E8E6950D3FFA63A0979CF5C105D4741D4F73955B88857E
                                                                    Malicious:false
                                                                    Preview: ........,...................$...............................................................................................................................................................................................................................................................J...............(...j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\oonrzjdqx.im
                                                                    Process:C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):279040
                                                                    Entropy (8bit):7.999273333249887
                                                                    Encrypted:true
                                                                    SSDEEP:6144:WPFuEow02wJHCT6EvtcW6SUq5AD+h3jIgd:WduPZJHu6CmtqCDOzjd
                                                                    MD5:8B62F2C193687E33B28430F6132F4D2D
                                                                    SHA1:7794A9B612177B7AED06580622CF0B7163241867
                                                                    SHA-256:5F68BA0AF0A904A8DFE28F0D947F64ECF94E01FF89419D4AAF6864DA8C7AA094
                                                                    SHA-512:1B2149EEE60D96582D3420C54E392B8730395A5F9D468E25A427BCBA19B61ADEE030934B00EF792249085EFA649F1DDFDB2477B13C482AE21411474604BCEB6B
                                                                    Malicious:false
                                                                    Preview: .6.v...a.Cv...w...x..Y+...).x.p.gKN0bL.p..M2..u&..........x.......s,.^..4.....w.l.......t,h..?..[(....B<6|..S........h..%..I.c.O>%.......c..e{...jD.*.Td...K....[:..[......W....SD.-[f3><&zl`..._..^..Q.|6..g...7..V.i. .j.n.s.LI..[.#..# .d.2...y.. 7C+!.....d...Z.....3.&[.....7N....b;..P3.<<...@.U.:..o........O.i4a..r.......P...Lp..crh.<...u...S)X....2...u.Q.:.....nQ.T....u_A9...r..........hi.A..)....p..>Y.I.,]./.1............JTM>..2.....#-R.....}..H....p....O...^...r\.wSml.j....1IE.Z_....OT2...ll.*.3.V...X6:*......u.c-.Av./..... .R...^.....:.Z,..s.....#.......L.h>q...#[t!.qC.Eb:.........@.D.&...5.r.p<ZT.Z|R.i........^.:..$B..H$@.o./.............C...g*....M.......V.V..........x.....h._...1.}.......xE..).k..:B.../.....5.'.......^.G..!.2...9.....Y"rZI.O..... Z...R....%.......$E.7P/E.n_...q%..s.....F..t.:.......@.$^..m.Z.d......&....3....!C....*.T..n...&.e....su.{;...y.v.Y...x.R..&......@...!.w.G.5:.Kc...e5[...'z....uJ.C1........k..h
                                                                    C:\Users\user\AppData\Local\Temp\tmpE682.tmp
                                                                    Process:C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1310
                                                                    Entropy (8bit):5.118330408737918
                                                                    Encrypted:false
                                                                    SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0PWxtn:cbk4oL600QydbQxIYODOLedq3SWj
                                                                    MD5:419B9BAF87B2D10BE7542CC9C964DE83
                                                                    SHA1:78452D57F42AD197A0414E7904E90C775F013AA8
                                                                    SHA-256:30D414E1ACE9688F68A91CD57B3FFEE2817D9DD83419F5CFD2CD2EBE547080A8
                                                                    SHA-512:9F4CD8884F6889291E1A9A5767BFC034837A9507DE27656E92FB4B7E506B5FF03D2A269EB5F870C5953B47C6BF62B93A6A7DF8511022D0345EBE8AB0481E34EE
                                                                    Malicious:true
                                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                    C:\Users\user\AppData\Local\Temp\tmpEA6B.tmp
                                                                    Process:C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1310
                                                                    Entropy (8bit):5.109425792877704
                                                                    Encrypted:false
                                                                    SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                                    MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                                    SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                                    SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                                    SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                                    Malicious:false
                                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                                    Process:C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
                                                                    File Type:data
                                                                    Category:modified
                                                                    Size (bytes):2320
                                                                    Entropy (8bit):7.024371743172393
                                                                    Encrypted:false
                                                                    SSDEEP:48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwh:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCr
                                                                    MD5:0FBED11864C03FDED0E70014DCF84578
                                                                    SHA1:453723D938A03252F705B0A104986FE4C5CA7056
                                                                    SHA-256:70F5E49EE3091777827ED661B63842061220C899A708860986E9AA1BD87C5004
                                                                    SHA-512:DB53E3F1D18171F1D86C1B9BBF6BBD07153FC3E561834A35834BC0CA1E034FEDCD83AAAE7EDF9262C4E175C3D2287B647F55282E49627EAAF587F43714204667
                                                                    Malicious:false
                                                                    Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                    Process:C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
                                                                    File Type:ISO-8859 text, with CR line terminators, with escape sequences
                                                                    Category:dropped
                                                                    Size (bytes):8
                                                                    Entropy (8bit):3.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:K4oin:joi
                                                                    MD5:4343B3F60A47270C9117192785044AD8
                                                                    SHA1:6F48A2C7B2E9E66E29C7A3F19711AAFD1B3C2179
                                                                    SHA-256:7D8DE47DB830173F7E731C8685049C906288A9A8C9C7B7175D7DFFEE3655D242
                                                                    SHA-512:28D04BDB49F1545496D7F813B5932A7AF831899AF016B39A1106197FB01A2D0E10466CBAF6CDB1079C58145DC17A6CE2531EF51A548BFFDE3FD22A3D39645841
                                                                    Malicious:true
                                                                    Preview: ...]M..H
                                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                                    Process:C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):47
                                                                    Entropy (8bit):4.533312255932956
                                                                    Encrypted:false
                                                                    SSDEEP:3:oNUWJRWmS0+q2qs7J:oNNJAmH+TqsV
                                                                    MD5:EB9DA02003EBF142462BBB7ED1224454
                                                                    SHA1:81A21F66CEF1CC55D2E8F0F5EB9AE0AB4AF830F1
                                                                    SHA-256:627FE62D0626FBE390F5A97884D85D612E1B3FF7831AFF8834B541259A8BA39B
                                                                    SHA-512:2D5A4CC44505AC7E5BDC7395135A0339051F629A4FE23970485D44C444057CFA785EDCD40890760FDE58874AFA564761D446335B894AA55518447D6CC0F1B7BD
                                                                    Malicious:false
                                                                    Preview: C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                    Entropy (8bit):7.947810553618582
                                                                    TrID:
                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                    File name:CHEQUE COPY RECEIPT.exe
                                                                    File size:332470
                                                                    MD5:403180100f3d966d4ea44c84d039a6d0
                                                                    SHA1:4b1af3fd502ad953024cb152c5a6d472fd0307c7
                                                                    SHA256:18ca07a540dbd6da66851f88c11ad7683486e33f5c2512fe5c4837c44f8f4bc3
                                                                    SHA512:1f6ab19d8b0f69bf7c4f9917966b6d6d818148d8fc10abc1d03b6f08f82c5c59ef449961e9d4055fa691854a216c3ea276ed659739d509a12a38ce6ac2c3640d
                                                                    SSDEEP:6144:y11QYLAKZReuEow82wBH6T6Evt4W6cUq5Aj+h3dDIge:GLAKZ8uPTBHW6C2DqCjOVIge
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L..._.$_.................f...x.......4............@

                                                                    File Icon

                                                                    Icon Hash:00828e8e8686b000

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x403486
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                    Time Stamp:0x5F24D75F [Sat Aug 1 02:45:51 2020 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:ea4e67a31ace1a72683a99b80cf37830

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    sub esp, 00000184h
                                                                    push ebx
                                                                    push esi
                                                                    push edi
                                                                    xor ebx, ebx
                                                                    push 00008001h
                                                                    mov dword ptr [esp+18h], ebx
                                                                    mov dword ptr [esp+10h], 0040A130h
                                                                    mov dword ptr [esp+20h], ebx
                                                                    mov byte ptr [esp+14h], 00000020h
                                                                    call dword ptr [004080B0h]
                                                                    call dword ptr [004080C0h]
                                                                    and eax, BFFFFFFFh
                                                                    cmp ax, 00000006h
                                                                    mov dword ptr [0042F44Ch], eax
                                                                    je 00007F8D48963273h
                                                                    push ebx
                                                                    call 00007F8D489663EEh
                                                                    cmp eax, ebx
                                                                    je 00007F8D48963269h
                                                                    push 00000C00h
                                                                    call eax
                                                                    mov esi, 004082A0h
                                                                    push esi
                                                                    call 00007F8D4896636Ah
                                                                    push esi
                                                                    call dword ptr [004080B8h]
                                                                    lea esi, dword ptr [esi+eax+01h]
                                                                    cmp byte ptr [esi], bl
                                                                    jne 00007F8D4896324Dh
                                                                    push 0000000Bh
                                                                    call 00007F8D489663C2h
                                                                    push 00000009h
                                                                    call 00007F8D489663BBh
                                                                    push 00000007h
                                                                    mov dword ptr [0042F444h], eax
                                                                    call 00007F8D489663AFh
                                                                    cmp eax, ebx
                                                                    je 00007F8D48963271h
                                                                    push 0000001Eh
                                                                    call eax
                                                                    test eax, eax
                                                                    je 00007F8D48963269h
                                                                    or byte ptr [0042F44Fh], 00000040h
                                                                    push ebp
                                                                    call dword ptr [00408038h]
                                                                    push ebx
                                                                    call dword ptr [00408288h]
                                                                    mov dword ptr [0042F518h], eax
                                                                    push ebx
                                                                    lea eax, dword ptr [esp+38h]
                                                                    push 00000160h
                                                                    push eax
                                                                    push ebx
                                                                    push 00429878h
                                                                    call dword ptr [0040816Ch]
                                                                    push 0040A1ECh

                                                                    Rich Headers

                                                                    Programming Language:
                                                                    • [EXP] VC++ 6.0 SP5 build 8804

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x85440xa0.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x988.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000x65ad0x6600False0.675628063725data6.48593060343IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                    .rdata0x80000x13800x1400False0.4634765625data5.26110074066IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .data0xa0000x255580x600False0.470052083333data4.21916068772IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                    .ndata0x300000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .rsrc0x380000x9880xa00False0.455078125data4.30752796442IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountry
                                                                    RT_DIALOG0x381480x100dataEnglishUnited States
                                                                    RT_DIALOG0x382480x11cdataEnglishUnited States
                                                                    RT_DIALOG0x383640x60dataEnglishUnited States
                                                                    RT_VERSION0x383c40x284dataEnglishUnited States
                                                                    RT_MANIFEST0x386480x340XML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                    Imports

                                                                    DLLImport
                                                                    ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                                                                    SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                                                                    ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                                                                    COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                                    USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                                                                    GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                                    KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, GetTempFileNameA, RemoveDirectoryA, WriteFile, CreateDirectoryA, GetLastError, CreateProcessA, GlobalLock, GlobalUnlock, CreateThread, lstrcpynA, SetErrorMode, GetDiskFreeSpaceA, lstrlenA, GetCommandLineA, GetVersion, GetWindowsDirectoryA, SetEnvironmentVariableA, GetTempPathA, CopyFileA, GetCurrentProcess, ExitProcess, GetModuleFileNameA, GetFileSize, ReadFile, GetTickCount, Sleep, CreateFileA, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

                                                                    Version Infos

                                                                    DescriptionData
                                                                    LegalCopyrightCopyright patent ductus arteriosus
                                                                    FileVersion53.72.67.28
                                                                    CompanyNametapestry
                                                                    LegalTrademarksAp Ma
                                                                    Commentswind screen
                                                                    ProductNamehomeland
                                                                    FileDescriptionanodyne
                                                                    Translation0x0409 0x04e4

                                                                    Possible Origin

                                                                    Language of compilation systemCountry where language is spokenMap
                                                                    EnglishUnited States

                                                                    Network Behavior

                                                                    Snort IDS Alerts

                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                    02/22/21-08:17:39.587905TCP2025019ET TROJAN Possible NanoCore C2 60B497197688192.168.2.5185.150.24.55
                                                                    02/22/21-08:17:48.399746TCP2025019ET TROJAN Possible NanoCore C2 60B497237688192.168.2.5185.150.24.55
                                                                    02/22/21-08:17:58.317320TCP2025019ET TROJAN Possible NanoCore C2 60B497267688192.168.2.5185.150.24.55
                                                                    02/22/21-08:18:05.430402TCP2025019ET TROJAN Possible NanoCore C2 60B497277688192.168.2.5185.150.24.55
                                                                    02/22/21-08:18:12.514532TCP2025019ET TROJAN Possible NanoCore C2 60B497287688192.168.2.5185.150.24.55
                                                                    02/22/21-08:18:19.118907TCP2025019ET TROJAN Possible NanoCore C2 60B497317688192.168.2.5185.150.24.55
                                                                    02/22/21-08:18:26.162311TCP2025019ET TROJAN Possible NanoCore C2 60B497347688192.168.2.5185.150.24.55
                                                                    02/22/21-08:18:33.388192TCP2025019ET TROJAN Possible NanoCore C2 60B497397688192.168.2.5185.150.24.55
                                                                    02/22/21-08:18:41.751477TCP2025019ET TROJAN Possible NanoCore C2 60B497407688192.168.2.5185.150.24.55
                                                                    02/22/21-08:18:50.274563TCP2025019ET TROJAN Possible NanoCore C2 60B497417688192.168.2.5185.150.24.55
                                                                    02/22/21-08:18:57.259284TCP2025019ET TROJAN Possible NanoCore C2 60B497437688192.168.2.5185.150.24.55
                                                                    02/22/21-08:19:03.677112TCP2025019ET TROJAN Possible NanoCore C2 60B497467688192.168.2.5185.150.24.55
                                                                    02/22/21-08:19:10.806233TCP2025019ET TROJAN Possible NanoCore C2 60B497477688192.168.2.5185.150.24.55
                                                                    02/22/21-08:19:17.472143TCP2025019ET TROJAN Possible NanoCore C2 60B497487688192.168.2.5185.150.24.55
                                                                    02/22/21-08:19:23.677103TCP2025019ET TROJAN Possible NanoCore C2 60B497497688192.168.2.5185.150.24.55
                                                                    02/22/21-08:19:30.716600TCP2025019ET TROJAN Possible NanoCore C2 60B497507688192.168.2.5185.150.24.55
                                                                    02/22/21-08:19:37.652217TCP2025019ET TROJAN Possible NanoCore C2 60B497517688192.168.2.5185.150.24.55

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Feb 22, 2021 08:17:39.134200096 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:39.343509912 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:39.345671892 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:39.587904930 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:39.823703051 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:39.860553026 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:40.071887970 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:40.210870028 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:40.282547951 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:40.551594019 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:40.551709890 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:40.823491096 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:40.864852905 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:40.871715069 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:40.871922016 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:40.913732052 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:40.915644884 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:40.915818930 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.103810072 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.119688034 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.121539116 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.151808023 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.152813911 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.153121948 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.153544903 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.161879063 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.161971092 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.181107998 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.191826105 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.192048073 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.192605972 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.192698956 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.383754015 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.383887053 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.384677887 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.384757996 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.391884089 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.392024994 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.423773050 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.423940897 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.424673080 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.425254107 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.443938971 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.444051981 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.471915007 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.472127914 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.489743948 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.489857912 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.520050049 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.520129919 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.520241976 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.520318031 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.523741961 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.523809910 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.544991016 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.545134068 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.583887100 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.591779947 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.592133045 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.593794107 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.594466925 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.594547033 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.624806881 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.632946968 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.633023977 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.649847984 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.671749115 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.672831059 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.674117088 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.704775095 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.706284046 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.711788893 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.744792938 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.744869947 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.752856016 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.783804893 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.788892984 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.791692972 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.793756962 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.793903112 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.801846981 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.831676960 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.831796885 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.832663059 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.841814995 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.842246056 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.872025967 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.880836010 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.881321907 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.889847040 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.912668943 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.912834883 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.913599014 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.914582014 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.914678097 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.921581984 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.951821089 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.951947927 CET497197688192.168.2.5185.150.24.55
                                                                    Feb 22, 2021 08:17:41.962882042 CET768849719185.150.24.55192.168.2.5
                                                                    Feb 22, 2021 08:17:41.983943939 CET768849719185.150.24.55192.168.2.5

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Feb 22, 2021 08:17:22.134579897 CET5479553192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:17:22.183362007 CET53547958.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:17:22.442053080 CET4955753192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:17:22.490895987 CET53495578.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:17:23.281652927 CET6173353192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:17:23.340257883 CET53617338.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:17:23.407079935 CET6544753192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:17:23.466945887 CET53654478.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:17:24.411298037 CET5244153192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:17:24.460033894 CET53524418.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:17:25.676701069 CET6217653192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:17:25.725311995 CET53621768.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:17:26.956404924 CET5959653192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:17:27.008919954 CET53595968.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:17:28.072738886 CET6529653192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:17:28.124762058 CET53652968.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:17:29.206775904 CET6318353192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:17:29.255872965 CET53631838.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:17:30.476876020 CET6015153192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:17:30.528435946 CET53601518.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:17:31.738868952 CET5696953192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:17:31.790415049 CET53569698.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:17:38.863929033 CET5516153192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:17:39.100116968 CET53551618.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:17:47.233830929 CET5475753192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:17:47.256659985 CET4999253192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:17:47.310930014 CET53547578.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:17:47.476897955 CET53499928.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:17:52.961039066 CET6007553192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:17:53.009493113 CET53600758.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:17:54.987055063 CET5501653192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:17:55.044329882 CET53550168.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:18:04.834829092 CET6434553192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:18:05.057965994 CET53643458.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:18:11.844405890 CET5712853192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:18:12.067183018 CET53571288.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:18:17.360019922 CET5479153192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:18:17.411580086 CET53547918.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:18:17.904686928 CET5046353192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:18:17.956314087 CET53504638.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:18:18.838238001 CET5039453192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:18:18.895183086 CET53503948.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:18:20.058625937 CET5853053192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:18:20.107664108 CET53585308.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:18:25.900965929 CET5381353192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:18:25.949713945 CET53538138.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:18:29.647058010 CET6373253192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:18:29.705430031 CET53637328.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:18:33.012712955 CET5734453192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:18:33.072130919 CET53573448.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:18:41.097594023 CET5445053192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:18:41.320753098 CET53544508.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:18:49.679960012 CET5926153192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:18:49.737011909 CET53592618.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:18:52.504312992 CET5715153192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:18:52.571548939 CET53571518.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:18:56.137552023 CET5941353192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:18:56.189614058 CET53594138.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:19:02.189659119 CET6051653192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:19:02.240247965 CET53605168.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:19:02.685960054 CET5164953192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:19:02.761513948 CET53516498.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:19:03.246107101 CET6508653192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:19:03.469477892 CET53650868.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:19:10.315064907 CET5643253192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:19:10.545476913 CET53564328.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:19:17.182197094 CET5292953192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:19:17.239420891 CET53529298.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:19:23.412548065 CET6431753192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:19:23.461144924 CET53643178.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:19:30.400455952 CET6100453192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:19:30.457623005 CET53610048.8.8.8192.168.2.5
                                                                    Feb 22, 2021 08:19:37.368788958 CET5689553192.168.2.58.8.8.8
                                                                    Feb 22, 2021 08:19:37.420080900 CET53568958.8.8.8192.168.2.5

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                    Feb 22, 2021 08:17:38.863929033 CET192.168.2.58.8.8.80xf59bStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:17:47.256659985 CET192.168.2.58.8.8.80xfd9fStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:17:54.987055063 CET192.168.2.58.8.8.80xf4c6Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:18:04.834829092 CET192.168.2.58.8.8.80x8551Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:18:11.844405890 CET192.168.2.58.8.8.80x9106Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:18:18.838238001 CET192.168.2.58.8.8.80x9699Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:18:25.900965929 CET192.168.2.58.8.8.80x3cdbStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:18:33.012712955 CET192.168.2.58.8.8.80xf9fbStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:18:41.097594023 CET192.168.2.58.8.8.80xd6fbStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:18:49.679960012 CET192.168.2.58.8.8.80xd3d0Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:18:56.137552023 CET192.168.2.58.8.8.80x5303Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:19:03.246107101 CET192.168.2.58.8.8.80xd06eStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:19:10.315064907 CET192.168.2.58.8.8.80x128fStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:19:17.182197094 CET192.168.2.58.8.8.80xe7c2Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:19:23.412548065 CET192.168.2.58.8.8.80xbeb5Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:19:30.400455952 CET192.168.2.58.8.8.80x94dcStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:19:37.368788958 CET192.168.2.58.8.8.80xd468Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                    Feb 22, 2021 08:17:39.100116968 CET8.8.8.8192.168.2.50xf59bNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:17:47.476897955 CET8.8.8.8192.168.2.50xfd9fNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:17:55.044329882 CET8.8.8.8192.168.2.50xf4c6No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:18:05.057965994 CET8.8.8.8192.168.2.50x8551No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:18:12.067183018 CET8.8.8.8192.168.2.50x9106No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:18:18.895183086 CET8.8.8.8192.168.2.50x9699No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:18:25.949713945 CET8.8.8.8192.168.2.50x3cdbNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:18:33.072130919 CET8.8.8.8192.168.2.50xf9fbNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:18:41.320753098 CET8.8.8.8192.168.2.50xd6fbNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:18:49.737011909 CET8.8.8.8192.168.2.50xd3d0No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:18:56.189614058 CET8.8.8.8192.168.2.50x5303No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:19:03.469477892 CET8.8.8.8192.168.2.50xd06eNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:19:10.545476913 CET8.8.8.8192.168.2.50x128fNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:19:17.239420891 CET8.8.8.8192.168.2.50xe7c2No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:19:23.461144924 CET8.8.8.8192.168.2.50xbeb5No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:19:30.457623005 CET8.8.8.8192.168.2.50x94dcNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                    Feb 22, 2021 08:19:37.420080900 CET8.8.8.8192.168.2.50xd468No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)

                                                                    Code Manipulations

                                                                    Statistics

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    Analysis Process: CHEQUE COPY RECEIPT.exe PID: 3888 Parent PID: 5580

                                                                    General

                                                                    Start time:08:17:29
                                                                    Start date:22/02/2021
                                                                    Path:C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe'
                                                                    Imagebase:0x400000
                                                                    File size:332470 bytes
                                                                    MD5 hash:403180100F3D966D4EA44C84D039A6D0
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.241553138.0000000002A30000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    Reputation:low

                                                                    Analysis Process: CHEQUE COPY RECEIPT.exe PID: 3060 Parent PID: 3888

                                                                    General

                                                                    Start time:08:17:30
                                                                    Start date:22/02/2021
                                                                    Path:C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe'
                                                                    Imagebase:0x400000
                                                                    File size:332470 bytes
                                                                    MD5 hash:403180100F3D966D4EA44C84D039A6D0
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                                                                    • Rule: NanoCore, Description: unknown, Source: 00000001.00000001.238064388.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.508559464.0000000005770000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.500407782.00000000022E0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.501234563.0000000002442000.00000040.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.501234563.0000000002442000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.501234563.0000000002442000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.497857999.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp, Author: Florian Roth
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp, Author: Joe Security
                                                                    • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.499385166.0000000000798000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.504663155.0000000003563000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.508321305.0000000005640000.00000004.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.508321305.0000000005640000.00000004.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.501596655.00000000024D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                    Reputation:low

                                                                    Analysis Process: schtasks.exe PID: 4616 Parent PID: 3060

                                                                    General

                                                                    Start time:08:17:35
                                                                    Start date:22/02/2021
                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpE682.tmp'
                                                                    Imagebase:0x1110000
                                                                    File size:185856 bytes
                                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Analysis Process: conhost.exe PID: 6068 Parent PID: 4616

                                                                    General

                                                                    Start time:08:17:35
                                                                    Start date:22/02/2021
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7ecfc0000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Analysis Process: schtasks.exe PID: 5856 Parent PID: 3060

                                                                    General

                                                                    Start time:08:17:36
                                                                    Start date:22/02/2021
                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpEA6B.tmp'
                                                                    Imagebase:0x1110000
                                                                    File size:185856 bytes
                                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Analysis Process: conhost.exe PID: 4600 Parent PID: 5856

                                                                    General

                                                                    Start time:08:17:36
                                                                    Start date:22/02/2021
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff797770000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Analysis Process: CHEQUE COPY RECEIPT.exe PID: 5364 Parent PID: 904

                                                                    General

                                                                    Start time:08:17:37
                                                                    Start date:22/02/2021
                                                                    Path:C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe' 0
                                                                    Imagebase:0x400000
                                                                    File size:332470 bytes
                                                                    MD5 hash:403180100F3D966D4EA44C84D039A6D0
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.270410700.0000000002A20000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    Reputation:low

                                                                    Analysis Process: dhcpmon.exe PID: 5312 Parent PID: 904

                                                                    General

                                                                    Start time:08:17:38
                                                                    Start date:22/02/2021
                                                                    Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                                                    Imagebase:0x400000
                                                                    File size:332470 bytes
                                                                    MD5 hash:403180100F3D966D4EA44C84D039A6D0
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    • Detection: 25%, ReversingLabs
                                                                    Reputation:low

                                                                    Analysis Process: CHEQUE COPY RECEIPT.exe PID: 1060 Parent PID: 5364

                                                                    General

                                                                    Start time:08:17:39
                                                                    Start date:22/02/2021
                                                                    Path:C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\Desktop\CHEQUE COPY RECEIPT.exe' 0
                                                                    Imagebase:0x400000
                                                                    File size:332470 bytes
                                                                    MD5 hash:403180100F3D966D4EA44C84D039A6D0
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.282758425.00000000032DC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.282706630.00000000022F0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000001.258907957.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000001.258907957.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                                                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000001.258907957.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.282659839.00000000022A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.281769166.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.284708133.0000000004E32000.00000040.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.284708133.0000000004E32000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.284708133.0000000004E32000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.282730831.00000000032A1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.282730831.00000000032A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.282730831.00000000032A1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.284375156.00000000047C0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.282508013.00000000006AD000.00000004.00000020.sdmp, Author: Florian Roth
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.282508013.00000000006AD000.00000004.00000020.sdmp, Author: Joe Security
                                                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.282508013.00000000006AD000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    Reputation:low

                                                                    Analysis Process: dhcpmon.exe PID: 6316 Parent PID: 3472

                                                                    General

                                                                    Start time:08:17:47
                                                                    Start date:22/02/2021
                                                                    Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                                    Imagebase:0x400000
                                                                    File size:332470 bytes
                                                                    MD5 hash:403180100F3D966D4EA44C84D039A6D0
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low

                                                                    Disassembly

                                                                    Code Analysis

                                                                    Reset < >