Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PAYMENT COPY.exe

Overview

General Information

Sample Name:PAYMENT COPY.exe
Analysis ID:356453
MD5:53e8c460446fe305dfc2159961aa6234
SHA1:bbebce3965dfc237eac2711a47c141a4f8ff0083
SHA256:b082aa828dd2eb42d6e1de8ccd8573ac3096ceee92ad26449fc1df6e490ff4ed
Tags:exeNanoCoreRATSCB

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PAYMENT COPY.exe (PID: 6392 cmdline: 'C:\Users\user\Desktop\PAYMENT COPY.exe' MD5: 53E8C460446FE305DFC2159961AA6234)
    • PAYMENT COPY.exe (PID: 6432 cmdline: 'C:\Users\user\Desktop\PAYMENT COPY.exe' MD5: 53E8C460446FE305DFC2159961AA6234)
      • schtasks.exe (PID: 6532 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEEDF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6596 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpF23B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • PAYMENT COPY.exe (PID: 6612 cmdline: 'C:\Users\user\Desktop\PAYMENT COPY.exe' 0 MD5: 53E8C460446FE305DFC2159961AA6234)
    • PAYMENT COPY.exe (PID: 6712 cmdline: 'C:\Users\user\Desktop\PAYMENT COPY.exe' 0 MD5: 53E8C460446FE305DFC2159961AA6234)
  • dhcpmon.exe (PID: 6744 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 53E8C460446FE305DFC2159961AA6234)
  • dhcpmon.exe (PID: 5932 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 53E8C460446FE305DFC2159961AA6234)
    • dhcpmon.exe (PID: 2896 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 53E8C460446FE305DFC2159961AA6234)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "bed38ea9-13ae-4999-bfd6-9ec5f9de3405", "Group": "Default", "Domain1": "chinomso.duckdns.org", "Domain2": "chinomso.duckdns.org", "Port": 7688, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "chinomso.duckdns.org", "BackupDNSServer": "chinomso.duckdns.orgAMC9Avo9uFWUE1JbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x29615:$x1: NanoCore.ClientPluginHost
  • 0x29652:$x2: IClientNetworkHost
  • 0x2d185:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x2738:$a: NanoCore
    • 0x2937d:$a: NanoCore
    • 0x2938d:$a: NanoCore
    • 0x295c1:$a: NanoCore
    • 0x295d5:$a: NanoCore
    • 0x29615:$a: NanoCore
    • 0x293dc:$b: ClientPlugin
    • 0x295de:$b: ClientPlugin
    • 0x2961e:$b: ClientPlugin
    • 0x5fe50:$b: ClientPlugin
    • 0x79f06:$b: ClientPlugin
    • 0x29503:$c: ProjectData
    • 0x29f0a:$d: DESCrypto
    • 0x318d6:$e: KeepAlive
    • 0x2f8c4:$g: LogClientMessage
    • 0x2babf:$i: get_Connected
    • 0x2a240:$j: #=q
    • 0x2a270:$j: #=q
    • 0x2a28c:$j: #=q
    • 0x2a2bc:$j: #=q
    • 0x2a2d8:$j: #=q
    00000001.00000002.500337236.0000000000730000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x350b:$x1: NanoCore.ClientPluginHost
    • 0x3525:$x2: IClientNetworkHost
    00000001.00000002.500337236.0000000000730000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x350b:$x2: NanoCore.ClientPluginHost
    • 0x52b6:$s4: PipeCreated
    • 0x34f8:$s5: IClientLoggingHost
    Click to see the 113 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    1.2.PAYMENT COPY.exe.780000.16.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x5fee:$x1: NanoCore.ClientPluginHost
    • 0x602b:$x2: IClientNetworkHost
    1.2.PAYMENT COPY.exe.780000.16.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x5fee:$x2: NanoCore.ClientPluginHost
    • 0x9441:$s4: PipeCreated
    • 0x6018:$s5: IClientLoggingHost
    1.2.PAYMENT COPY.exe.27b2a64.22.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1deb:$x1: NanoCore.ClientPluginHost
    • 0x1e24:$x2: IClientNetworkHost
    1.2.PAYMENT COPY.exe.27b2a64.22.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x1deb:$x2: NanoCore.ClientPluginHost
    • 0x1f36:$s4: PipeCreated
    • 0x1e05:$s5: IClientLoggingHost
    1.2.PAYMENT COPY.exe.400000.1.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x251e5:$x1: NanoCore.ClientPluginHost
    • 0x25222:$x2: IClientNetworkHost
    • 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 337 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PAYMENT COPY.exe, ProcessId: 6432, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
    Sigma detected: Scheduled temp file as task from temp locationShow sources
    Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEEDF.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEEDF.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\PAYMENT COPY.exe' , ParentImage: C:\Users\user\Desktop\PAYMENT COPY.exe, ParentProcessId: 6432, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEEDF.tmp', ProcessId: 6532

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000008.00000002.278420831.0000000002460000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "bed38ea9-13ae-4999-bfd6-9ec5f9de3405", "Group": "Default", "Domain1": "chinomso.duckdns.org", "Domain2": "chinomso.duckdns.org", "Port": 7688, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "chinomso.duckdns.org", "BackupDNSServer": "chinomso.duckdns.orgAMC9Avo9uFWUE1JbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
    Multi AV Scanner detection for domain / URLShow sources
    Source: chinomso.duckdns.orgVirustotal: Detection: 8%Perma Link
    Source: chinomso.duckdns.orgVirustotal: Detection: 8%Perma Link
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 35%
    Source: C:\Users\user\AppData\Local\Temp\ri8clfcgml62un.dllReversingLabs: Detection: 14%
    Multi AV Scanner detection for submitted fileShow sources
    Source: PAYMENT COPY.exeReversingLabs: Detection: 35%
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.505736368.000000000341C000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298702640.00000000032CC000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278506705.000000000344C000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278355916.0000000002411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.501309782.0000000002391000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298587099.0000000002291000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6712, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6432, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2896, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6612, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6392, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5932, type: MEMORY
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.47b0000.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.3430821.25.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.565f58.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.4e30000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.565f58.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.342c1f8.24.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a80000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.5b2488.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.5b2488.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a50000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.342c1f8.24.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a61458.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a91458.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.3295530.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.3497815.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a60000.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.34931ec.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.34931ec.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.348e3b6.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a61458.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a80000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.47b0000.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.1.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.3317815.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a71458.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.7eae40.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.33131ec.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a91458.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.330e3b6.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.48f0000.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.33131ec.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.3415530.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.7eae40.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.3295530.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.48f0000.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a50000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.1.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a60000.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a71458.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.3415530.5.unpack, type: UNPACKEDPE
    Machine Learning detection for dropped fileShow sources
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
    Machine Learning detection for sampleShow sources
    Source: PAYMENT COPY.exeJoe Sandbox ML: detected
    Source: 1.2.PAYMENT COPY.exe.342c1f8.24.unpackAvira: Label: TR/NanoCore.fadte
    Source: 15.2.dhcpmon.exe.4e30000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 8.1.PAYMENT COPY.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 15.1.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 15.2.dhcpmon.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 1.2.PAYMENT COPY.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 1.1.PAYMENT COPY.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 8.2.PAYMENT COPY.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7

    Compliance:

    barindex
    Detected unpacking (overwrites its own PE header)Show sources
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeUnpacked PE file: 1.2.PAYMENT COPY.exe.400000.1.unpack
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeUnpacked PE file: 8.2.PAYMENT COPY.exe.400000.0.unpack
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 15.2.dhcpmon.exe.400000.1.unpack
    Uses 32bit PE filesShow sources
    Source: PAYMENT COPY.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
    Source: PAYMENT COPY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Binary contains paths to debug symbolsShow sources
    Source: Binary string: wntdll.pdbUGP source: PAYMENT COPY.exe, 00000000.00000003.237791410.0000000002B20000.00000004.00000001.sdmp, PAYMENT COPY.exe, 00000007.00000003.251492752.0000000002C40000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000003.274760299.0000000002C30000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp
    Source: Binary string: wntdll.pdb source: PAYMENT COPY.exe, 00000000.00000003.237791410.0000000002B20000.00000004.00000001.sdmp, PAYMENT COPY.exe, 00000007.00000003.251492752.0000000002C40000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000003.274760299.0000000002C30000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: PAYMENT COPY.exe, 00000001.00000002.500087557.00000000006E0000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: PAYMENT COPY.exe, 00000001.00000002.499927530.00000000006C0000.00000004.00000001.sdmp
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_004065C1 FindFirstFileA,FindClose,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_004027A1 FindFirstFileA,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00404A29 FindFirstFileExW,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_1_00404A29 FindFirstFileExW,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_00404A29 FindFirstFileExW,
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_004065C1 FindFirstFileA,FindClose,
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_004027A1 FindFirstFileA,
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00404A29 FindFirstFileExW,

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: chinomso.duckdns.org
    Uses dynamic DNS servicesShow sources
    Source: unknownDNS query: name: chinomso.duckdns.org
    Source: global trafficTCP traffic: 192.168.2.7:49711 -> 185.150.24.55:7688
    Source: Joe Sandbox ViewIP Address: 185.150.24.55 185.150.24.55
    Source: Joe Sandbox ViewASN Name: SKYLINKNL SKYLINKNL
    Source: unknownDNS traffic detected: queries for: chinomso.duckdns.org
    Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmpString found in binary or memory: http://google.com
    Source: dhcpmon.exe, dhcpmon.exe, 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.270226951.000000000040A000.00000008.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.273721399.000000000040A000.00000008.00020000.sdmp, PAYMENT COPY.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
    Source: PAYMENT COPY.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_004054B2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,
    Source: PAYMENT COPY.exe, 00000001.00000002.505736368.000000000341C000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.505736368.000000000341C000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298702640.00000000032CC000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278506705.000000000344C000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278355916.0000000002411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.501309782.0000000002391000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298587099.0000000002291000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6712, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6432, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2896, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6612, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6392, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5932, type: MEMORY
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.47b0000.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.3430821.25.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.565f58.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.4e30000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.565f58.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.342c1f8.24.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a80000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.5b2488.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.5b2488.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a50000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.342c1f8.24.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a61458.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a91458.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.3295530.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.3497815.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a60000.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.34931ec.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.34931ec.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.348e3b6.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a61458.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a80000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.47b0000.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.1.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.3317815.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a71458.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.7eae40.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.33131ec.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a91458.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.330e3b6.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.48f0000.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.33131ec.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.3415530.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.7eae40.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.3295530.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.48f0000.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a50000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.1.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a60000.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a71458.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.3415530.5.unpack, type: UNPACKEDPE

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000002.500337236.0000000000730000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000002.499927530.00000000006C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000002.500528462.0000000000780000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000002.500087557.00000000006E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000008.00000002.278420831.0000000002460000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.298632979.00000000022E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.298702640.00000000032CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000008.00000002.278506705.000000000344C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000002.500417911.0000000000750000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000002.499796910.00000000006B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000002.500251784.0000000000710000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000002.499394347.0000000000660000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000002.500213366.0000000000700000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000002.500144000.00000000006F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000002.499506090.0000000000680000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000002.499715879.00000000006A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000002.504422573.00000000027A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000003.401079389.0000000003861000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6712, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6712, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6432, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6432, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: dhcpmon.exe PID: 2896, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: dhcpmon.exe PID: 2896, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6612, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6612, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6392, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6392, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: dhcpmon.exe PID: 5932, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: dhcpmon.exe PID: 5932, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.780000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.27b2a64.22.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.700000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.47b0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.47b0000.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.3430821.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.565f58.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.565f58.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.750000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.37b0e8f.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.243cc68.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.dhcpmon.exe.565f58.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.565f58.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.342c1f8.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.PAYMENT COPY.exe.2a80000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.PAYMENT COPY.exe.2a80000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.5b2488.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.5b2488.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.5b2488.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.5b2488.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.1.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.1.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 14.2.dhcpmon.exe.2a50000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 14.2.dhcpmon.exe.2a50000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.1.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.1.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.342c1f8.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.6f0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 14.2.dhcpmon.exe.2a61458.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 14.2.dhcpmon.exe.2a61458.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.PAYMENT COPY.exe.2a91458.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.PAYMENT COPY.exe.2a91458.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.24228c4.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.24228c4.18.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.680000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.2436f00.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.2436f00.20.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.365ec98.27.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.27a65e4.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.27a65e4.21.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.710000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.366d53c.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.2.PAYMENT COPY.exe.247b9ec.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.23bc994.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.1.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.1.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.27b2a64.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.27b2a64.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.75e8a4.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.3295530.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.3295530.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.730000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.37b0e8f.29.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.750000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.6c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.3.PAYMENT COPY.exe.387e041.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.3.PAYMENT COPY.exe.387e041.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.24228c4.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.3497815.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.660000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 7.2.PAYMENT COPY.exe.2a60000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 7.2.PAYMENT COPY.exe.2a60000.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.2.PAYMENT COPY.exe.34931ec.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.6e0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.3.PAYMENT COPY.exe.3883a6d.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.2.PAYMENT COPY.exe.34931ec.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.348e3b6.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.348e3b6.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.27bb8ec.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.241667c.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.241667c.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.dhcpmon.exe.22bcc90.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.241667c.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 14.2.dhcpmon.exe.2a61458.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 14.2.dhcpmon.exe.2a61458.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.365ec98.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.PAYMENT COPY.exe.2a80000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.PAYMENT COPY.exe.2a80000.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.dhcpmon.exe.47b0000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.47b0000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.1.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.1.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.dhcpmon.exe.3317815.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 7.2.PAYMENT COPY.exe.2a71458.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 7.2.PAYMENT COPY.exe.2a71458.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.2.PAYMENT COPY.exe.7eae40.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.7eae40.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.6b0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.33131ec.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.PAYMENT COPY.exe.2a91458.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.PAYMENT COPY.exe.2a91458.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.6c0000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.3663937.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.6a0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.3.PAYMENT COPY.exe.3869a16.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.710000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.1.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.1.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.27bb8ec.23.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.330e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.330e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.27a65e4.21.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.48f0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.48f0000.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.680000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.730000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.33131ec.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.2.PAYMENT COPY.exe.3415530.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.3415530.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.780000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.2.PAYMENT COPY.exe.7eae40.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.7eae40.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.2.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.dhcpmon.exe.3295530.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.3295530.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.2.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.2.PAYMENT COPY.exe.48f0000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.48f0000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.3.PAYMENT COPY.exe.3869a16.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.3.PAYMENT COPY.exe.3869a16.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 14.2.dhcpmon.exe.2a50000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 14.2.dhcpmon.exe.2a50000.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.6f0000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.1.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.1.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 7.2.PAYMENT COPY.exe.2a60000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 7.2.PAYMENT COPY.exe.2a60000.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.754c9f.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 7.2.PAYMENT COPY.exe.2a71458.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 7.2.PAYMENT COPY.exe.2a71458.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.6b0000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.22fba98.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.660000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.3415530.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.3415530.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.700000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.3.PAYMENT COPY.exe.3883a6d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.3.PAYMENT COPY.exe.3883a6d.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Executable has a suspicious name (potential lure to open the executable)Show sources
    Source: PAYMENT COPY.exeStatic file information: Suspicious name
    Initial sample is a PE file and has a suspicious nameShow sources
    Source: initial sampleStatic PE information: Filename: PAYMENT COPY.exe
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_00407272
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_00406A9B
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_73581A98
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0040A2A5
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00783324
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_1_0040A2A5
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_0040A2A5
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_0499E480
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_0499E470
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_0499BBD4
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_051CF5F8
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_051C9788
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_051CA5F8
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_051CA610
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00407272
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00406A9B
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0040A2A5
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_04D6E480
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_04D6E471
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_04D6E47B
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_04D6BBD4
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0509F5F8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_05099788
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0509A5D0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0509A610
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_05243E30
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_05244A50
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_05244B08
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: String function: 00401ED0 appears 69 times
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: String function: 0040569E appears 54 times
    Source: PAYMENT COPY.exe, 00000000.00000003.238893639.0000000002DCF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000000.00000002.240855252.00000000022F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exeBinary or memory string: OriginalFilename vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.500337236.0000000000730000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.500528462.0000000000780000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.499927530.00000000006C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.505736368.000000000341C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.505736368.000000000341C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.506109620.0000000003650000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.506109620.0000000003650000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.506109620.0000000003650000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.500087557.00000000006E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.501309782.0000000002391000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000007.00000003.254565501.0000000002C16000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000007.00000002.261551351.00000000022E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000008.00000002.279599268.0000000005360000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000008.00000002.278420831.0000000002460000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000008.00000002.278420831.0000000002460000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000008.00000002.278506705.000000000344C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000002.500337236.0000000000730000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.500337236.0000000000730000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000002.499927530.00000000006C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.499927530.00000000006C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000002.500528462.0000000000780000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.500528462.0000000000780000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000002.500087557.00000000006E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.500087557.00000000006E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000008.00000002.278420831.0000000002460000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.298632979.00000000022E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.298702640.00000000032CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000008.00000002.278506705.000000000344C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000002.500417911.0000000000750000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.500417911.0000000000750000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000002.499796910.00000000006B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.499796910.00000000006B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000002.500251784.0000000000710000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.500251784.0000000000710000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000002.499394347.0000000000660000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.499394347.0000000000660000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000002.500213366.0000000000700000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.500213366.0000000000700000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000002.500144000.00000000006F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.500144000.00000000006F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000002.499506090.0000000000680000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.499506090.0000000000680000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000002.499715879.00000000006A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.499715879.00000000006A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000002.504422573.00000000027A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000003.401079389.0000000003861000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6712, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6712, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6432, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6432, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: dhcpmon.exe PID: 2896, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: dhcpmon.exe PID: 2896, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6612, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6612, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6392, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6392, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: dhcpmon.exe PID: 5932, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: dhcpmon.exe PID: 5932, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.780000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.780000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.27b2a64.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.27b2a64.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.700000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.700000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.47b0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.47b0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.47b0000.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.3430821.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.3430821.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.565f58.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.565f58.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.565f58.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.750000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.750000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.37b0e8f.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.37b0e8f.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.243cc68.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.243cc68.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.dhcpmon.exe.565f58.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.565f58.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.565f58.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.342c1f8.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.342c1f8.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.PAYMENT COPY.exe.2a80000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.PAYMENT COPY.exe.2a80000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.PAYMENT COPY.exe.2a80000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.5b2488.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.5b2488.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.5b2488.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.5b2488.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.5b2488.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.5b2488.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.1.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.1.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.1.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 14.2.dhcpmon.exe.2a50000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 14.2.dhcpmon.exe.2a50000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 14.2.dhcpmon.exe.2a50000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.1.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.1.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.1.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.342c1f8.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.342c1f8.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.6f0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.6f0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 14.2.dhcpmon.exe.2a61458.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 14.2.dhcpmon.exe.2a61458.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 14.2.dhcpmon.exe.2a61458.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.PAYMENT COPY.exe.2a91458.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.PAYMENT COPY.exe.2a91458.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.PAYMENT COPY.exe.2a91458.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.24228c4.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.24228c4.18.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.680000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.680000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.2436f00.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.2436f00.20.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.365ec98.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.365ec98.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.27a65e4.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.27a65e4.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.27a65e4.21.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.710000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.710000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.366d53c.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.366d53c.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.2.PAYMENT COPY.exe.247b9ec.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.247b9ec.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.23bc994.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.23bc994.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.1.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.1.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.1.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.27b2a64.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.27b2a64.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.27b2a64.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.75e8a4.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.75e8a4.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.3295530.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.3295530.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.3295530.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.730000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.730000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.37b0e8f.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.37b0e8f.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.750000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.750000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.6c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.6c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.3.PAYMENT COPY.exe.387e041.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.3.PAYMENT COPY.exe.387e041.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.3.PAYMENT COPY.exe.387e041.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.24228c4.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.24228c4.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.3497815.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.3497815.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.660000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.660000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 7.2.PAYMENT COPY.exe.2a60000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 7.2.PAYMENT COPY.exe.2a60000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 7.2.PAYMENT COPY.exe.2a60000.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.2.PAYMENT COPY.exe.34931ec.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.34931ec.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.6e0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.6e0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.3.PAYMENT COPY.exe.3883a6d.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.3.PAYMENT COPY.exe.3883a6d.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.2.PAYMENT COPY.exe.34931ec.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.34931ec.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.348e3b6.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.348e3b6.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.348e3b6.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.27bb8ec.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.27bb8ec.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.241667c.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.241667c.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.dhcpmon.exe.22bcc90.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.22bcc90.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.241667c.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.241667c.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 14.2.dhcpmon.exe.2a61458.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 14.2.dhcpmon.exe.2a61458.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 14.2.dhcpmon.exe.2a61458.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.365ec98.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.365ec98.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.PAYMENT COPY.exe.2a80000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.PAYMENT COPY.exe.2a80000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.PAYMENT COPY.exe.2a80000.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.dhcpmon.exe.47b0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.47b0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.47b0000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.1.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.1.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.1.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.dhcpmon.exe.3317815.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.3317815.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 7.2.PAYMENT COPY.exe.2a71458.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 7.2.PAYMENT COPY.exe.2a71458.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 7.2.PAYMENT COPY.exe.2a71458.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.2.PAYMENT COPY.exe.7eae40.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.7eae40.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.7eae40.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.6b0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.6b0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.33131ec.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.33131ec.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.PAYMENT COPY.exe.2a91458.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.PAYMENT COPY.exe.2a91458.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.PAYMENT COPY.exe.2a91458.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.6c0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.6c0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.3663937.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.3663937.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.6a0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.6a0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.3.PAYMENT COPY.exe.3869a16.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.3.PAYMENT COPY.exe.3869a16.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.710000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.710000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.1.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.1.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.1.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.27bb8ec.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.27bb8ec.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.330e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.330e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.330e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.27a65e4.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.27a65e4.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.48f0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.48f0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.48f0000.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.680000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.680000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.730000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.730000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.33131ec.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.33131ec.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.2.PAYMENT COPY.exe.3415530.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.3415530.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.3415530.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.780000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.780000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.2.PAYMENT COPY.exe.7eae40.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.7eae40.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.7eae40.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.2.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.dhcpmon.exe.3295530.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.3295530.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.3295530.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.2.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.2.PAYMENT COPY.exe.48f0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.48f0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.48f0000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.3.PAYMENT COPY.exe.3869a16.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.3.PAYMENT COPY.exe.3869a16.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.3.PAYMENT COPY.exe.3869a16.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 14.2.dhcpmon.exe.2a50000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 14.2.dhcpmon.exe.2a50000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 14.2.dhcpmon.exe.2a50000.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.6f0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.6f0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.1.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.1.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.1.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 7.2.PAYMENT COPY.exe.2a60000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 7.2.PAYMENT COPY.exe.2a60000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 7.2.PAYMENT COPY.exe.2a60000.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.754c9f.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.754c9f.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 7.2.PAYMENT COPY.exe.2a71458.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 7.2.PAYMENT COPY.exe.2a71458.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 7.2.PAYMENT COPY.exe.2a71458.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.6b0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.6b0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.22fba98.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.22fba98.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.660000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.660000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.3415530.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.3415530.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.3415530.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.700000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.700000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.3.PAYMENT COPY.exe.3883a6d.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.3.PAYMENT COPY.exe.3883a6d.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.3.PAYMENT COPY.exe.3883a6d.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: classification engineClassification label: mal100.troj.evad.winEXE@16/24@13/1
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_00404763 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_72C34239 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6604:120:WilError_01
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{bed38ea9-13ae-4999-bfd6-9ec5f9de3405}
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsxD869.tmpJump to behavior
    Source: PAYMENT COPY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: PAYMENT COPY.exeReversingLabs: Detection: 35%
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile read: C:\Users\user\Desktop\PAYMENT COPY.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe'
    Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe'
    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEEDF.tmp'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpF23B.tmp'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe' 0
    Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe' 0
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe'
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEEDF.tmp'
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpF23B.tmp'
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe' 0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
    Source: PAYMENT COPY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: wntdll.pdbUGP source: PAYMENT COPY.exe, 00000000.00000003.237791410.0000000002B20000.00000004.00000001.sdmp, PAYMENT COPY.exe, 00000007.00000003.251492752.0000000002C40000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000003.274760299.0000000002C30000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp
    Source: Binary string: wntdll.pdb source: PAYMENT COPY.exe, 00000000.00000003.237791410.0000000002B20000.00000004.00000001.sdmp, PAYMENT COPY.exe, 00000007.00000003.251492752.0000000002C40000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000003.274760299.0000000002C30000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: PAYMENT COPY.exe, 00000001.00000002.500087557.00000000006E0000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: PAYMENT COPY.exe, 00000001.00000002.499927530.00000000006C0000.00000004.00000001.sdmp

    Data Obfuscation:

    barindex
    Detected unpacking (changes PE section rights)Show sources
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeUnpacked PE file: 1.2.PAYMENT COPY.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeUnpacked PE file: 8.2.PAYMENT COPY.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 15.2.dhcpmon.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
    Detected unpacking (overwrites its own PE header)Show sources
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeUnpacked PE file: 1.2.PAYMENT COPY.exe.400000.1.unpack
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeUnpacked PE file: 8.2.PAYMENT COPY.exe.400000.0.unpack
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 15.2.dhcpmon.exe.400000.1.unpack
    .NET source code contains potential unpackerShow sources
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_73581A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,
    Source: ri8clfcgml62un.dll.0.drStatic PE information: section name: .code
    Source: ri8clfcgml62un.dll.7.drStatic PE information: section name: .code
    Source: ri8clfcgml62un.dll.14.drStatic PE information: section name: .code
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_73582F60 push eax; ret
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00401F16 push ecx; ret
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_1_00401F16 push ecx; ret
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_00401F16 push ecx; ret
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_051C7648 push eax; iretd
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00401F16 push ecx; ret
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_05097648 push eax; iretd
    Source: initial sampleStatic PE information: section name: .data entropy: 7.6178797985
    Source: initial sampleStatic PE information: section name: .data entropy: 7.6178797985
    Source: initial sampleStatic PE information: section name: .data entropy: 7.6178797985
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile created: C:\Users\user\AppData\Local\Temp\nsoF70E.tmp\System.dllJump to dropped file
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile created: C:\Users\user\AppData\Local\Temp\ri8clfcgml62un.dllJump to dropped file
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile created: C:\Users\user\AppData\Local\Temp\nsc2504.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile created: C:\Users\user\AppData\Local\Temp\nsmD8C8.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

    Boot Survival:

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEEDF.tmp'

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile opened: C:\Users\user\Desktop\PAYMENT COPY.exe:Zone.Identifier read attributes | delete
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWindow / User API: threadDelayed 5356
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWindow / User API: threadDelayed 4142
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWindow / User API: foregroundWindowGot 456
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWindow / User API: foregroundWindowGot 420
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWindow / User API: foregroundWindowGot 374
    Source: C:\Users\user\Desktop\PAYMENT COPY.exe TID: 6660Thread sleep time: -13835058055282155s >= -30000s
    Source: C:\Users\user\Desktop\PAYMENT COPY.exe TID: 7108Thread sleep count: 42 > 30
    Source: C:\Users\user\Desktop\PAYMENT COPY.exe TID: 7048Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6404Thread sleep count: 42 > 30
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4496Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_004065C1 FindFirstFileA,FindClose,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_004027A1 FindFirstFileA,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00404A29 FindFirstFileExW,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_1_00404A29 FindFirstFileExW,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_00404A29 FindFirstFileExW,
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_004065C1 FindFirstFileA,FindClose,
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_004027A1 FindFirstFileA,
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00404A29 FindFirstFileExW,
    Source: PAYMENT COPY.exe, 00000001.00000003.303652307.0000000000634000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information queried: ProcessInformation
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_73581A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_72C347A3 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_72C345A0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_004035F1 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_1_004035F1 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 7_2_72C347A3 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 7_2_72C345A0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_004035F1 mov eax, dword ptr fs:[00000030h]
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_004035F1 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_004067FE GetProcessHeap,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00401E1D SetUnhandledExceptionFilter,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_1_00401E1D SetUnhandledExceptionFilter,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_00401E1D SetUnhandledExceptionFilter,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00401E1D SetUnhandledExceptionFilter,
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeMemory allocated: page read and write | page guard

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Maps a DLL or memory area into another processShow sources
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: unknown target: C:\Users\user\Desktop\PAYMENT COPY.exe protection: execute and read and write
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: unknown target: C:\Users\user\Desktop\PAYMENT COPY.exe protection: execute and read and write
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: unknown target: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe protection: execute and read and write
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe'
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEEDF.tmp'
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpF23B.tmp'
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe' 0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
    Source: PAYMENT COPY.exe, 00000001.00000002.501042599.0000000000D80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.498613399.0000000000DF0000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
    Source: PAYMENT COPY.exe, 00000001.00000002.503675448.00000000026D0000.00000004.00000001.sdmpBinary or memory string: Program Manager
    Source: PAYMENT COPY.exe, 00000001.00000002.501042599.0000000000D80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.498613399.0000000000DF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: PAYMENT COPY.exe, 00000001.00000002.501042599.0000000000D80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.498613399.0000000000DF0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmpBinary or memory string: Program ManagerD$
    Source: PAYMENT COPY.exe, 00000001.00000002.503675448.00000000026D0000.00000004.00000001.sdmpBinary or memory string: Program Managerp
    Source: PAYMENT COPY.exe, 00000001.00000002.501042599.0000000000D80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.498613399.0000000000DF0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: PAYMENT COPY.exe, 00000001.00000002.505472590.000000000297E000.00000004.00000001.sdmpBinary or memory string: Program Manager@
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0040208D cpuid
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

    Stealing of Sensitive Information:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.505736368.000000000341C000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298702640.00000000032CC000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278506705.000000000344C000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278355916.0000000002411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.501309782.0000000002391000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298587099.0000000002291000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6712, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6432, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2896, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6612, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6392, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5932, type: MEMORY
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.47b0000.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.3430821.25.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.565f58.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.4e30000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.565f58.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.342c1f8.24.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a80000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.5b2488.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.5b2488.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a50000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.342c1f8.24.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a61458.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a91458.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.3295530.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.3497815.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a60000.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.34931ec.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.34931ec.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.348e3b6.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a61458.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a80000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.47b0000.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.1.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.3317815.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a71458.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.7eae40.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.33131ec.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a91458.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.330e3b6.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.48f0000.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.33131ec.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.3415530.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.7eae40.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.3295530.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.48f0000.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a50000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.1.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a60000.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a71458.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.3415530.5.unpack, type: UNPACKEDPE

    Remote Access Functionality:

    barindex
    Detected Nanocore RatShow sources
    Source: PAYMENT COPY.exe, 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: PAYMENT COPY.exeString found in binary or memory: NanoCore.ClientPluginHost
    Source: PAYMENT COPY.exe, 00000001.00000002.499927530.00000000006C0000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: PAYMENT COPY.exe, 00000001.00000002.500087557.00000000006E0000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: PAYMENT COPY.exe, 00000001.00000002.501309782.0000000002391000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: PAYMENT COPY.exe, 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: PAYMENT COPY.exeString found in binary or memory: NanoCore.ClientPluginHost
    Source: PAYMENT COPY.exe, 00000008.00000002.278420831.0000000002460000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: dhcpmon.exe, 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
    Source: dhcpmon.exe, 0000000F.00000002.298632979.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.505736368.000000000341C000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298702640.00000000032CC000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278506705.000000000344C000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278355916.0000000002411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.501309782.0000000002391000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298587099.0000000002291000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6712, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6432, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2896, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6612, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6392, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5932, type: MEMORY
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.47b0000.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.3430821.25.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.565f58.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.4e30000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.565f58.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.342c1f8.24.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a80000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.5b2488.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.5b2488.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a50000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.342c1f8.24.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a61458.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a91458.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.3295530.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.3497815.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a60000.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.34931ec.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.34931ec.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.348e3b6.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a61458.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a80000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.47b0000.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.1.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.3317815.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a71458.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.7eae40.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.33131ec.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a91458.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.330e3b6.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.48f0000.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.33131ec.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.3415530.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.7eae40.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.3295530.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.48f0000.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a50000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.1.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a60000.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a71458.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.3415530.5.unpack, type: UNPACKEDPE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Access Token Manipulation1Disable or Modify Tools1Input Capture11System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
    Default AccountsNative API1Boot or Logon Initialization ScriptsProcess Injection112Deobfuscate/Decode Files or Information11LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsScheduled Task/Job1Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information3Security Account ManagerSystem Information Discovery25SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing32NTDSSecurity Software Discovery141Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsVirtualization/Sandbox Evasion3SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion3Cached Domain CredentialsProcess Discovery3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 356453 Sample: PAYMENT COPY.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 57 Multi AV Scanner detection for domain / URL 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 16 other signatures 2->63 8 PAYMENT COPY.exe 19 2->8         started        12 dhcpmon.exe 17 2->12         started        14 PAYMENT COPY.exe 17 2->14         started        16 dhcpmon.exe 9 2->16         started        process3 file4 47 C:\Users\user\AppData\Local\...\System.dll, PE32 8->47 dropped 67 Maps a DLL or memory area into another process 8->67 18 PAYMENT COPY.exe 1 15 8->18         started        49 C:\Users\user\AppData\...\ri8clfcgml62un.dll, PE32 12->49 dropped 51 C:\Users\user\AppData\Local\...\System.dll, PE32 12->51 dropped 23 dhcpmon.exe 3 12->23         started        53 C:\Users\user\AppData\Local\...\System.dll, PE32 14->53 dropped 25 PAYMENT COPY.exe 3 14->25         started        signatures5 process6 dnsIp7 55 chinomso.duckdns.org 185.150.24.55, 49725, 49728, 49734 SKYLINKNL Netherlands 18->55 35 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->35 dropped 37 C:\Users\user\AppData\Roaming\...\run.dat, International 18->37 dropped 39 C:\Users\user\AppData\Local\...\tmpEEDF.tmp, XML 18->39 dropped 41 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->41 dropped 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->65 27 schtasks.exe 1 18->27         started        29 schtasks.exe 1 18->29         started        43 C:\Users\user\AppData\...\dhcpmon.exe.log, ASCII 23->43 dropped 45 C:\Users\user\...\PAYMENT COPY.exe.log, ASCII 25->45 dropped file8 signatures9 process10 process11 31 conhost.exe 27->31         started        33 conhost.exe 29->33         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    PAYMENT COPY.exe35%ReversingLabsWin32.Backdoor.Androm
    PAYMENT COPY.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe35%ReversingLabsWin32.Backdoor.Androm
    C:\Users\user\AppData\Local\Temp\nsc2504.tmp\System.dll0%VirustotalBrowse
    C:\Users\user\AppData\Local\Temp\nsc2504.tmp\System.dll0%MetadefenderBrowse
    C:\Users\user\AppData\Local\Temp\nsc2504.tmp\System.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\nsmD8C8.tmp\System.dll0%MetadefenderBrowse
    C:\Users\user\AppData\Local\Temp\nsmD8C8.tmp\System.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\nsoF70E.tmp\System.dll0%MetadefenderBrowse
    C:\Users\user\AppData\Local\Temp\nsoF70E.tmp\System.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\ri8clfcgml62un.dll15%ReversingLabsWin32.Trojan.Generic

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    1.2.PAYMENT COPY.exe.342c1f8.24.unpack100%AviraTR/NanoCore.fadteDownload File
    15.2.dhcpmon.exe.4e30000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    0.0.PAYMENT COPY.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
    8.1.PAYMENT COPY.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    15.1.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    14.2.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
    14.0.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
    10.2.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
    10.0.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
    0.2.PAYMENT COPY.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
    15.2.dhcpmon.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    7.0.PAYMENT COPY.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
    1.2.PAYMENT COPY.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    1.1.PAYMENT COPY.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    15.0.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
    7.2.PAYMENT COPY.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
    8.2.PAYMENT COPY.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    8.2.PAYMENT COPY.exe.49c0000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    8.0.PAYMENT COPY.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
    1.0.PAYMENT COPY.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File

    Domains

    SourceDetectionScannerLabelLink
    chinomso.duckdns.org8%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    chinomso.duckdns.org8%VirustotalBrowse
    chinomso.duckdns.org0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    chinomso.duckdns.org
    		185.150.24.55
    		truetrueunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    chinomso.duckdns.orgtrue
    • 8%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://nsis.sf.net/NSIS_Errordhcpmon.exe, dhcpmon.exe, 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.270226951.000000000040A000.00000008.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.273721399.000000000040A000.00000008.00020000.sdmp, PAYMENT COPY.exefalse
      		high
      http://nsis.sf.net/NSIS_ErrorErrorPAYMENT COPY.exefalse
        		high

        Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public

        IPDomainCountryFlagASNASN NameMalicious
        185.150.24.55
        		unknownNetherlands
        		44592SKYLINKNLtrue

        General Information

        Joe Sandbox Version:31.0.0 Emerald
        Analysis ID:356453
        Start date:23.02.2021
        Start time:08:10:56
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 13m 11s
        Hypervisor based Inspection enabled:false
        Report type:light
        Sample file name:PAYMENT COPY.exe
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:36
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@16/24@13/1
        EGA Information:Failed
        HDC Information:
        • Successful, ratio: 17.6% (good quality ratio 16.6%)
        • Quality average: 79.1%
        • Quality standard deviation: 29.2%
        HCA Information:
        • Successful, ratio: 87%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        • Found application associated with file extension: .exe
        Warnings:
        Show All
        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
        • TCP Packets have been reduced to 100
        • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
        • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 51.132.208.181, 13.64.90.137, 92.122.145.220, 104.42.151.234, 168.61.161.212, 184.30.20.56, 51.104.144.132, 51.103.5.159, 93.184.221.240, 92.122.213.194, 92.122.213.247, 52.155.217.156, 20.54.26.129, 51.11.168.160
        • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, vip1-par02p.wns.notify.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        08:11:56Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\PAYMENT COPY.exe" s>$(Arg0)
        08:11:56API Interceptor1004x Sleep call for process: PAYMENT COPY.exe modified
        08:11:58Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
        08:11:59AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        185.150.24.55CHEQUE COPY RECEIPT.exeGet hashmaliciousBrowse
          CHEQUE COPY.exeGet hashmaliciousBrowse
            CHEQUE COPY.jarGet hashmaliciousBrowse
              PAYMENT COPY RECEIPT.exeGet hashmaliciousBrowse
                FeDEx TRACKING DETAILS.exeGet hashmaliciousBrowse
                  FeDEx TRACKING DETAILS.exeGet hashmaliciousBrowse
                    FedEx TRACKING DETAILS.exeGet hashmaliciousBrowse
                      TNT TRACKING DETAILS.exeGet hashmaliciousBrowse
                        TNT TRACKING DETAILS.exeGet hashmaliciousBrowse

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          chinomso.duckdns.orgCHEQUE COPY RECEIPT.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          CHEQUE COPY.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          PAYMENT COPY RECEIPT.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          Shiping Doc BL.exeGet hashmaliciousBrowse
                          • 194.5.98.157
                          Shiping Doc BL.exeGet hashmaliciousBrowse
                          • 194.5.98.157
                          Shiping Doc BL.exeGet hashmaliciousBrowse
                          • 194.5.98.157
                          Shiping Doc BL.exeGet hashmaliciousBrowse
                          • 194.5.98.157
                          Shiping Doc BL.exeGet hashmaliciousBrowse
                          • 194.5.98.157
                          Shiping Doc BL.exeGet hashmaliciousBrowse
                          • 194.5.98.157
                          DHL AWB TRACKING DETAIL.exeGet hashmaliciousBrowse
                          • 194.5.98.56
                          odou7cg844.exeGet hashmaliciousBrowse
                          • 129.205.124.145
                          DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 185.244.30.86
                          AWB RECEIPT.exeGet hashmaliciousBrowse
                          • 129.205.124.132
                          TNT AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 129.205.113.246
                          DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 197.210.227.36
                          DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 185.244.30.39
                          TNT AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 129.205.124.140
                          DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 197.210.85.85
                          DHL AWB TRACKING DETAIILS.exeGet hashmaliciousBrowse
                          • 185.244.30.39
                          39Quot.exeGet hashmaliciousBrowse
                          • 185.165.153.35

                          ASN

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          SKYLINKNLCHEQUE COPY RECEIPT.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          CHEQUE COPY.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          Quotation-3276.PDF.exeGet hashmaliciousBrowse
                          • 185.150.24.44
                          CHEQUE COPY.jarGet hashmaliciousBrowse
                          • 185.150.24.55
                          MRC20201030XMY, pdf.exeGet hashmaliciousBrowse
                          • 185.150.24.6
                          PAYMENT COPY RECEIPT.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          FeDEx TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          FeDEx TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          FedEx TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          TNT TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          TNT TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          QUOTATION 20 10 2020.exeGet hashmaliciousBrowse
                          • 185.150.24.48
                          NEW PO638363483.exeGet hashmaliciousBrowse
                          • 185.150.24.9
                          NEW PO6487382.exeGet hashmaliciousBrowse
                          • 185.150.24.9

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          C:\Users\user\AppData\Local\Temp\nsc2504.tmp\System.dllOur New Order Feb 23 2021 at 2.30_PVV440_PDF.exeGet hashmaliciousBrowse
                            INV_PR2201.docmGet hashmaliciousBrowse
                              CV-JOB REQUEST______PDF.EXEGet hashmaliciousBrowse
                                Request for Quotation.exeGet hashmaliciousBrowse
                                  #U007einvoice#U007eSC00978656.xlsxGet hashmaliciousBrowse
                                    Purchase Order___pdf ____________.exeGet hashmaliciousBrowse
                                      quote.exeGet hashmaliciousBrowse
                                        Order83930.exeGet hashmaliciousBrowse
                                          Invoice 6500TH21Y5674.exeGet hashmaliciousBrowse
                                            Invoice 6500TH21Y5674.exeGet hashmaliciousBrowse
                                              GPP.exeGet hashmaliciousBrowse
                                                OrderSuppliesQuote0817916.exeGet hashmaliciousBrowse
                                                  ACCOUNT DETAILS.exeGet hashmaliciousBrowse
                                                    Quotation.com.exeGet hashmaliciousBrowse
                                                      Unterlagen PDF.exeGet hashmaliciousBrowse
                                                        QuotationInvoices.exeGet hashmaliciousBrowse
                                                          PO.exeGet hashmaliciousBrowse
                                                            SecuriteInfo.com.TrojanSpy.MSIL.Agent.22886.exeGet hashmaliciousBrowse
                                                              SecuriteInfo.com.FileRepMalware.24882.exeGet hashmaliciousBrowse
                                                                PDF_doc.exeGet hashmaliciousBrowse

                                                                  Created / dropped Files

                                                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                  Category:dropped
                                                                  Size (bytes):332412
                                                                  Entropy (8bit):7.946662165967432
                                                                  Encrypted:false
                                                                  SSDEEP:6144:S11QoY9YMstdr55cZ+TsUHBL5xY9j2DLWkl3TsJxdxEn7mZ:+Yxk55cZ+NhL5i9SWkRIjdxBZ
                                                                  MD5:53E8C460446FE305DFC2159961AA6234
                                                                  SHA1:BBEBCE3965DFC237EAC2711A47C141A4F8FF0083
                                                                  SHA-256:B082AA828DD2EB42D6E1DE8CCD8573AC3096CEEE92AD26449FC1DF6E490FF4ED
                                                                  SHA-512:4043358BEFD7A7FAC79C6E244FC8ADB6CA0F61E1F1B8427875455AE82E3DF47EA982467BB2C993D4C6EAD382F2A3DA77FAFFEF96E53712A393C12445E07F01B2
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 35%
                                                                  Reputation:low
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L..._.$_.................f...x.......4............@.......................................@.................................D...........`............................................................................................................text....e.......f.................. ..`.rdata...............j..............@..@.data...XU...........~..............@....ndata...................................rsrc...`...........................@..@................................................................................................................................................................................................................................................................................................................................................................
                                                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):26
                                                                  Entropy (8bit):3.95006375643621
                                                                  Encrypted:false
                                                                  SSDEEP:3:ggPYV:rPYV
                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                  Malicious:true
                                                                  Reputation:high, very likely benign file
                                                                  Preview: [ZoneTransfer]....ZoneId=0
                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PAYMENT COPY.exe.log
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1216
                                                                  Entropy (8bit):5.355304211458859
                                                                  Encrypted:false
                                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                                  MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                                  SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                                  SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                                  SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                                  Malicious:true
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1216
                                                                  Entropy (8bit):5.355304211458859
                                                                  Encrypted:false
                                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                                  MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                                  SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                                  SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                                  SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                                  Malicious:true
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                  C:\Users\user\AppData\Local\Temp\extndbrvvs.aly
                                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):279040
                                                                  Entropy (8bit):7.999355482654256
                                                                  Encrypted:true
                                                                  SSDEEP:6144:SGrQWot55cT+FsUHBL5xy9j2DL+kl3ZsJx1xEnwXSIIV:SGBg55cT+zhL5A9S+kRmj1xpSIO
                                                                  MD5:CD58A93032A5720ED2F2E6DD9F615956
                                                                  SHA1:9CC17C0944B7124758E59842E59634EFDE088443
                                                                  SHA-256:FA902D29A67B5890704B4B05CF3EE1F3ECF3ED37BE037BE70B0943FA367D1C12
                                                                  SHA-512:9250A73290622C574D12E68417069A34329AB7D3F4F161D2F0A426814912CF0EB568E4EAB95EB3992A8B18192FDDF9BA895D250BA7C12AC526EA7D157EECC839
                                                                  Malicious:false
                                                                  Preview: k.......")3..Nf.YQ.e.........l..-..U.c.E%..nq.O...O.o,.ef......K.R'.j.,..I(..X.a(.)9;.c..].L.Q....b...Or....c..>zS1."R.6.?@g...).n'.{o.................b..L.~`.Ew..i-..R.L.M..=.C...Q.6.Se.'.h.o.. I..a.+..@...m3.......M. .....x=x...}.@..6...n....>..]]6....h.Z.0_..v..v .G..h..0.-....(.[N.I....dp.....['r.rWz .Mu..[,6......:fsL....S.....v.C.&0Q+pSMo`.DC)`..#...1j..<....=.....Rt.i..Y..m.5X...0.X..W.........m.cf...3.P@./R.=....v.%.-.=Fp..hU_..7 .n...Y."7}i6Csw).H....Ic.a..s.m.[....|.P........./I....z......1..'........./K.....1.......(.i..6.I........b~/z..M....W.........:0.I...+.....?....RC.Yu46...Z(.9[]..|..%...........G..}....~....?...N..h.O...|..m*Q...>Ux.l5.K..M..T&...EA>.C.I.%.>.be.z.N..-E.k......&...>... o..0/[(.........J...xA....:h!.{n*..........R.+.v.BGs".8......|...+M^.R...1t.$......yC....tk.d...#...Z..K...Y0...3.R..`..ZY...f_......z.0..\.Q....e..h..,$...R. ......5<..D...".\{.~.";.1...T.z.....W../zs.s...8.../D%KXu....x.......v.+.t.&L......Q.
                                                                  C:\Users\user\AppData\Local\Temp\nsc2504.tmp\System.dll
                                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:modified
                                                                  Size (bytes):11776
                                                                  Entropy (8bit):5.855045165595541
                                                                  Encrypted:false
                                                                  SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                                                  MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                                                  SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                                                  SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                                                  SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Joe Sandbox View:
                                                                  • Filename: Our New Order Feb 23 2021 at 2.30_PVV440_PDF.exe, Detection: malicious, Browse
                                                                  • Filename: INV_PR2201.docm, Detection: malicious, Browse
                                                                  • Filename: CV-JOB REQUEST______PDF.EXE, Detection: malicious, Browse
                                                                  • Filename: Request for Quotation.exe, Detection: malicious, Browse
                                                                  • Filename: #U007einvoice#U007eSC00978656.xlsx, Detection: malicious, Browse
                                                                  • Filename: Purchase Order___pdf ____________.exe, Detection: malicious, Browse
                                                                  • Filename: quote.exe, Detection: malicious, Browse
                                                                  • Filename: Order83930.exe, Detection: malicious, Browse
                                                                  • Filename: Invoice 6500TH21Y5674.exe, Detection: malicious, Browse
                                                                  • Filename: Invoice 6500TH21Y5674.exe, Detection: malicious, Browse
                                                                  • Filename: GPP.exe, Detection: malicious, Browse
                                                                  • Filename: OrderSuppliesQuote0817916.exe, Detection: malicious, Browse
                                                                  • Filename: ACCOUNT DETAILS.exe, Detection: malicious, Browse
                                                                  • Filename: Quotation.com.exe, Detection: malicious, Browse
                                                                  • Filename: Unterlagen PDF.exe, Detection: malicious, Browse
                                                                  • Filename: QuotationInvoices.exe, Detection: malicious, Browse
                                                                  • Filename: PO.exe, Detection: malicious, Browse
                                                                  • Filename: SecuriteInfo.com.TrojanSpy.MSIL.Agent.22886.exe, Detection: malicious, Browse
                                                                  • Filename: SecuriteInfo.com.FileRepMalware.24882.exe, Detection: malicious, Browse
                                                                  • Filename: PDF_doc.exe, Detection: malicious, Browse
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\Temp\nsm24A5.tmp
                                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):306118
                                                                  Entropy (8bit):7.939787418337237
                                                                  Encrypted:false
                                                                  SSDEEP:6144:AtyGrQWot55cT+FsUHBL5xy9j2DL+kl3ZsJx1xEnwXSIIYt:QyGBg55cT+zhL5A9S+kRmj1xpSIH
                                                                  MD5:9B39D5926D9633B180D4AFB3E7CAAC40
                                                                  SHA1:06D5F9B6111F68E35F40A1AA609271F000DA23F1
                                                                  SHA-256:FFE073951D33F7DE224C4892F4EDE7B7368C9A37589263BB73D0B87014CF8D96
                                                                  SHA-512:D0FDA76963586867DCE03AEAE079EEB943EEF56776B909E239EB97200DFA8742F421C342D80D0617528527EF9E10C1869CFEAC8F3078A0F084368DFCC11FD053
                                                                  Malicious:false
                                                                  Preview: ........,...................$...............................................................................................................................................................................................................................................................J...............,...j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\Temp\nsmD8C8.tmp\System.dll
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:modified
                                                                  Size (bytes):11776
                                                                  Entropy (8bit):5.855045165595541
                                                                  Encrypted:false
                                                                  SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                                                  MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                                                  SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                                                  SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                                                  SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\Temp\nsn16.tmp
                                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  File Type:data
                                                                  Category:modified
                                                                  Size (bytes):22347
                                                                  Entropy (8bit):6.772137166768519
                                                                  Encrypted:false
                                                                  SSDEEP:384:A9QcELMTSkCWlpxuWR0O+mGS83jurV4pa4bg+T40K:AMLMukLPxuk3yp3K
                                                                  MD5:904BE663881896399EC80434BA4AFC15
                                                                  SHA1:FB5000F7CC9F3248EC9958E35704E60650A58B59
                                                                  SHA-256:9FD0A2635122A785EF88BE78C820EC044A90CFCD44CD8810EC09C736E160B4E8
                                                                  SHA-512:96100AAE73825DC66CEF953232E34744FB2451812CD2B85EDDDCC4FB8DE3FB81FF672B68AE57E82B3B3CA7B14CA56671035A640B1778B915E684DEEFAEFE4A5E
                                                                  Malicious:false
                                                                  Preview: ........,...................$...............................................................................................................................................................................................................................................................J...............,...j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\Temp\nsoF70E.tmp\System.dll
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:modified
                                                                  Size (bytes):11776
                                                                  Entropy (8bit):5.855045165595541
                                                                  Encrypted:false
                                                                  SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                                                  MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                                                  SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                                                  SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                                                  SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\Temp\nsuF6DF.tmp
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):306118
                                                                  Entropy (8bit):7.939787418337237
                                                                  Encrypted:false
                                                                  SSDEEP:6144:AtyGrQWot55cT+FsUHBL5xy9j2DL+kl3ZsJx1xEnwXSIIYt:QyGBg55cT+zhL5A9S+kRmj1xpSIH
                                                                  MD5:9B39D5926D9633B180D4AFB3E7CAAC40
                                                                  SHA1:06D5F9B6111F68E35F40A1AA609271F000DA23F1
                                                                  SHA-256:FFE073951D33F7DE224C4892F4EDE7B7368C9A37589263BB73D0B87014CF8D96
                                                                  SHA-512:D0FDA76963586867DCE03AEAE079EEB943EEF56776B909E239EB97200DFA8742F421C342D80D0617528527EF9E10C1869CFEAC8F3078A0F084368DFCC11FD053
                                                                  Malicious:false
                                                                  Preview: ........,...................$...............................................................................................................................................................................................................................................................J...............,...j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\Temp\nsxD899.tmp
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):306118
                                                                  Entropy (8bit):7.939787418337237
                                                                  Encrypted:false
                                                                  SSDEEP:6144:AtyGrQWot55cT+FsUHBL5xy9j2DL+kl3ZsJx1xEnwXSIIYt:QyGBg55cT+zhL5A9S+kRmj1xpSIH
                                                                  MD5:9B39D5926D9633B180D4AFB3E7CAAC40
                                                                  SHA1:06D5F9B6111F68E35F40A1AA609271F000DA23F1
                                                                  SHA-256:FFE073951D33F7DE224C4892F4EDE7B7368C9A37589263BB73D0B87014CF8D96
                                                                  SHA-512:D0FDA76963586867DCE03AEAE079EEB943EEF56776B909E239EB97200DFA8742F421C342D80D0617528527EF9E10C1869CFEAC8F3078A0F084368DFCC11FD053
                                                                  Malicious:false
                                                                  Preview: ........,...................$...............................................................................................................................................................................................................................................................J...............,...j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\Temp\ri8clfcgml62un.dll
                                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11776
                                                                  Entropy (8bit):6.617616566986233
                                                                  Encrypted:false
                                                                  SSDEEP:192:l1fAHxDSLwXELMtO5KwHXYHCWxDpJL0jWP3p0Oy:cQcELMTSkCWlpxuWR0O
                                                                  MD5:19ACEBD18CD8160A4835FF53469C479B
                                                                  SHA1:486432D9B1752D28D79ACDC037CB54569B83C05D
                                                                  SHA-256:359038B41761F6903B97E9B51DC35C062D4D253AF628BEACBAE79A7D44CF1F22
                                                                  SHA-512:C010B18F028600BC60AE8993690A5142D1CFA23E0AC1C9E8DBFC3974F08E708B8A5F16AFB8633AE16736BC79018A85F2855DF10DEC93356713C5C6235F1CB5E9
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 15%
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............e.N.e.N.e.N.e.N.e.NI..N.e.N..cN.e.N..gN.e.N..dN.e.N..aN.e.NRich.e.N................PE..L...dx4`...........!.........&............... ...............................p............@.........................P$..I.... .......P.......................`..d.................................................... ...............................code...L........................... ....rdata....... ......................@..@.data........0......................@....rsrc........P.......*..............@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\Temp\tmpEEDF.tmp
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1306
                                                                  Entropy (8bit):5.1109020496994875
                                                                  Encrypted:false
                                                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0A+Pp8xtn:cbk4oL600QydbQxIYODOLedq3vqp8j
                                                                  MD5:AFDDA7F0503E444134BC1A8B7DFCB5FD
                                                                  SHA1:9C9EBEE89239A89C3FD750B123DC528B98E38198
                                                                  SHA-256:70317BDEB4DD67C116F85C43427A2EC7369B60DC53B323B9C0897FFAC9E9A027
                                                                  SHA-512:B5FAF6350AB75EAC644059C1B6D9E09A4550BD609DBA55ED7DB22C95DD58D4112274629BC10E17B1D35C8555D012CA949EDEF1235BF4FB2DC79323EAAC3A16F3
                                                                  Malicious:true
                                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                  C:\Users\user\AppData\Local\Temp\tmpF23B.tmp
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1310
                                                                  Entropy (8bit):5.109425792877704
                                                                  Encrypted:false
                                                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                                  MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                                  SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                                  SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                                  SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                                  Malicious:false
                                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):928
                                                                  Entropy (8bit):7.024371743172393
                                                                  Encrypted:false
                                                                  SSDEEP:24:IQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUtw:Ik/lCrwfk/lCrwfk/lCrwfk/lCrw8
                                                                  MD5:CCB690520E68EE385ACC0ACFE759AFFC
                                                                  SHA1:33F0DA3F55E5B3C5AC19B61D31471CB60BCD5C96
                                                                  SHA-256:166154225DAB5FCB79C1CA97D371B159D37B83FBC0ADABCD8EBA98FA113A7A3B
                                                                  SHA-512:AC4F3CF1F8F460745D37E6350861C2FBCDDCC1BBDE0A48FB361BFBF5B1EBF10A05F798A72CE413FCA073FF8108955353DDBCBD9D50CED6CDAE231C67A28FDDA3
                                                                  Malicious:false
                                                                  Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:International EBCDIC text, with NEL line terminators
                                                                  Category:dropped
                                                                  Size (bytes):8
                                                                  Entropy (8bit):2.4056390622295662
                                                                  Encrypted:false
                                                                  SSDEEP:3:0I:0I
                                                                  MD5:3CBBBAC199963ABCF4667B290F5BC226
                                                                  SHA1:EF2F3B0E7DF4A2DAEDD2BEF311FBAB7F5C651DE0
                                                                  SHA-256:0C8B09A6E62621A09F742CDC38DB8DC94B247E678DE264A99DAA216EB461087F
                                                                  SHA-512:9E66F75D4907FACD9484986E87D63ECEC7BDCF4EBC2ACA55B4DF5073BFF6FF2A01527C65ED7A6C2A44444C2D4EFCB26D233CEEBCA7B2074AC3387BB67EA135C1
                                                                  Malicious:true
                                                                  Preview: p.....H
                                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:data
                                                                  Category:modified
                                                                  Size (bytes):40
                                                                  Entropy (8bit):5.153055907333276
                                                                  Encrypted:false
                                                                  SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                                                  MD5:4E5E92E2369688041CC82EF9650EDED2
                                                                  SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                                                  SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                                                  SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                                                  Malicious:false
                                                                  Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):327432
                                                                  Entropy (8bit):7.99938831605763
                                                                  Encrypted:true
                                                                  SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                                                  MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                                                  SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                                                  SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                                                  SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                                                  Malicious:false
                                                                  Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):43
                                                                  Entropy (8bit):4.458598697157055
                                                                  Encrypted:false
                                                                  SSDEEP:3:oN0naRR1k+PaAdA:oNcSRu+PpA
                                                                  MD5:AC74F0849FB911B24DEBB2AEDEE8E24C
                                                                  SHA1:8797005CAE13E840F2E14E0F787ADA26F24DD32F
                                                                  SHA-256:BBF827B7252E76C927747FE8875F19392D54C070CB743DDE37095715705D0C7B
                                                                  SHA-512:DB156C220C174959351DA1F8D1402AADB261D4383EDDE9297D534F92127680D39E78A177DD271CBF8F7255E199A4963EC896A06AF1A439174AE8E909DD9F9D89
                                                                  Malicious:false
                                                                  Preview: C:\Users\user\Desktop\PAYMENT COPY.exe

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                  Entropy (8bit):7.946662165967432
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:PAYMENT COPY.exe
                                                                  File size:332412
                                                                  MD5:53e8c460446fe305dfc2159961aa6234
                                                                  SHA1:bbebce3965dfc237eac2711a47c141a4f8ff0083
                                                                  SHA256:b082aa828dd2eb42d6e1de8ccd8573ac3096ceee92ad26449fc1df6e490ff4ed
                                                                  SHA512:4043358befd7a7fac79c6e244fc8adb6ca0f61e1f1b8427875455ae82e3df47ea982467bb2c993d4c6ead382f2a3da77faffef96e53712a393c12445e07f01b2
                                                                  SSDEEP:6144:S11QoY9YMstdr55cZ+TsUHBL5xY9j2DLWkl3TsJxdxEn7mZ:+Yxk55cZ+NhL5i9SWkRIjdxBZ
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L..._.$_.................f...x.......4............@

                                                                  File Icon

                                                                  Icon Hash:00828e8e8686b000

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x403486
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                  Time Stamp:0x5F24D75F [Sat Aug 1 02:45:51 2020 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:ea4e67a31ace1a72683a99b80cf37830

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  sub esp, 00000184h
                                                                  push ebx
                                                                  push esi
                                                                  push edi
                                                                  xor ebx, ebx
                                                                  push 00008001h
                                                                  mov dword ptr [esp+18h], ebx
                                                                  mov dword ptr [esp+10h], 0040A130h
                                                                  mov dword ptr [esp+20h], ebx
                                                                  mov byte ptr [esp+14h], 00000020h
                                                                  call dword ptr [004080B0h]
                                                                  call dword ptr [004080C0h]
                                                                  and eax, BFFFFFFFh
                                                                  cmp ax, 00000006h
                                                                  mov dword ptr [0042F44Ch], eax
                                                                  je 00007FF014AB6A83h
                                                                  push ebx
                                                                  call 00007FF014AB9BFEh
                                                                  cmp eax, ebx
                                                                  je 00007FF014AB6A79h
                                                                  push 00000C00h
                                                                  call eax
                                                                  mov esi, 004082A0h
                                                                  push esi
                                                                  call 00007FF014AB9B7Ah
                                                                  push esi
                                                                  call dword ptr [004080B8h]
                                                                  lea esi, dword ptr [esi+eax+01h]
                                                                  cmp byte ptr [esi], bl
                                                                  jne 00007FF014AB6A5Dh
                                                                  push 0000000Bh
                                                                  call 00007FF014AB9BD2h
                                                                  push 00000009h
                                                                  call 00007FF014AB9BCBh
                                                                  push 00000007h
                                                                  mov dword ptr [0042F444h], eax
                                                                  call 00007FF014AB9BBFh
                                                                  cmp eax, ebx
                                                                  je 00007FF014AB6A81h
                                                                  push 0000001Eh
                                                                  call eax
                                                                  test eax, eax
                                                                  je 00007FF014AB6A79h
                                                                  or byte ptr [0042F44Fh], 00000040h
                                                                  push ebp
                                                                  call dword ptr [00408038h]
                                                                  push ebx
                                                                  call dword ptr [00408288h]
                                                                  mov dword ptr [0042F518h], eax
                                                                  push ebx
                                                                  lea eax, dword ptr [esp+38h]
                                                                  push 00000160h
                                                                  push eax
                                                                  push ebx
                                                                  push 00429878h
                                                                  call dword ptr [0040816Ch]
                                                                  push 0040A1ECh

                                                                  Rich Headers

                                                                  Programming Language:
                                                                  • [EXP] VC++ 6.0 SP5 build 8804

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x85440xa0.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x960.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x65ad0x6600False0.675628063725data6.48593060343IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x80000x13800x1400False0.4634765625data5.26110074066IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0xa0000x255580x600False0.470052083333data4.21916068772IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                  .ndata0x300000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x380000x9600xa00False0.4484375data4.27028215028IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_DIALOG0x381480x100dataEnglishUnited States
                                                                  RT_DIALOG0x382480x11cdataEnglishUnited States
                                                                  RT_DIALOG0x383640x60dataEnglishUnited States
                                                                  RT_VERSION0x383c40x25cdataEnglishUnited States
                                                                  RT_MANIFEST0x386200x340XML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                  Imports

                                                                  DLLImport
                                                                  ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                                                                  SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                                                                  ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                                                                  COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                                  USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                                                                  GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                                  KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, GetTempFileNameA, RemoveDirectoryA, WriteFile, CreateDirectoryA, GetLastError, CreateProcessA, GlobalLock, GlobalUnlock, CreateThread, lstrcpynA, SetErrorMode, GetDiskFreeSpaceA, lstrlenA, GetCommandLineA, GetVersion, GetWindowsDirectoryA, SetEnvironmentVariableA, GetTempPathA, CopyFileA, GetCurrentProcess, ExitProcess, GetModuleFileNameA, GetFileSize, ReadFile, GetTickCount, Sleep, CreateFileA, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

                                                                  Version Infos

                                                                  DescriptionData
                                                                  LegalCopyrightCopyright Shaanxi
                                                                  FileVersion90.50.10.2
                                                                  CompanyNamesymbolic
                                                                  LegalTrademarksBuol
                                                                  CommentsSaxony
                                                                  ProductNamelightbulb
                                                                  FileDescriptionsurvivor
                                                                  Translation0x0409 0x04e4

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishUnited States

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Feb 23, 2021 08:11:57.971867085 CET497117688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:01.054852962 CET497117688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:07.061415911 CET497117688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:17.394999981 CET497257688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:20.453207016 CET497257688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:26.453692913 CET497257688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:35.758625984 CET497287688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:38.751656055 CET497287688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:39.653305054 CET768849725185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:39.653495073 CET497257688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:40.105993032 CET768849725185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:44.923953056 CET497287688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:45.132733107 CET768849728185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:45.132883072 CET497287688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:45.176296949 CET497287688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:45.396951914 CET768849728185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:45.410798073 CET497287688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:45.616755009 CET768849728185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:45.720943928 CET497287688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:45.939094067 CET768849728185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:45.967158079 CET497287688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:46.128530025 CET497287688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:46.329687119 CET768849728185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:46.329785109 CET497287688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:50.471874952 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:50.676709890 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:50.676826000 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:50.677452087 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:50.900098085 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:50.902806997 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.103795052 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.107040882 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.396121025 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.400945902 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.425412893 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.426062107 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.437114000 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.443243980 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.444075108 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.448003054 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.448935032 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.449178934 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.643914938 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.652127981 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.653007030 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.663764954 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.673142910 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.674065113 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.677896976 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.683335066 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.685416937 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.690367937 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.696141958 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.705013037 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.866880894 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.874144077 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.874244928 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.882159948 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.891952991 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.892081022 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.904917002 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.913801908 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.913990021 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.923981905 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.934052944 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.934134960 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.941858053 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.951328039 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.951500893 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.970124006 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.975358963 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.975538015 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.990825891 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.005896091 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.005975008 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.044104099 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.073807955 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.073971033 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.128669024 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.155844927 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.155997992 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.166887045 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.174671888 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.174772978 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.175527096 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.181725979 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.181843042 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.188837051 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.188988924 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.203799009 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.203965902 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.216903925 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.217087984 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.240864038 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.241003036 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.251765966 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.251950026 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.270746946 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.270845890 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.281265974 CET768849734185.150.24.55192.168.2.7

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Feb 23, 2021 08:11:41.903371096 CET5856253192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:41.949830055 CET5659053192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:41.955261946 CET53585628.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:41.998357058 CET53565908.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:42.129158974 CET6050153192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:42.177692890 CET53605018.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:43.701062918 CET5377553192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:43.753017902 CET53537758.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:44.062700033 CET5183753192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:44.123857975 CET53518378.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:45.027590036 CET5541153192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:45.078006029 CET53554118.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:46.430269957 CET6366853192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:46.480618954 CET53636688.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:47.605781078 CET5464053192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:47.654464006 CET53546408.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:48.597007036 CET5873953192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:48.645579100 CET53587398.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:49.554630995 CET6033853192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:49.603455067 CET53603388.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:50.859311104 CET5871753192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:50.908116102 CET53587178.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:52.048846960 CET5976253192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:52.100598097 CET53597628.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:53.974230051 CET5432953192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:54.034193993 CET53543298.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:55.835946083 CET5805253192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:55.885308027 CET53580528.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:57.696343899 CET5400853192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:57.916781902 CET53540088.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:58.103384972 CET5945153192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:58.154814959 CET53594518.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:59.633799076 CET5291453192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:59.682451963 CET53529148.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:01.157835007 CET6456953192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:01.206501007 CET53645698.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:02.868599892 CET5281653192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:02.920520067 CET53528168.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:04.380520105 CET5078153192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:04.432784081 CET53507818.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:06.958430052 CET5423053192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:07.018827915 CET53542308.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:07.152877092 CET5491153192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:07.201458931 CET53549118.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:08.184039116 CET4995853192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:08.235394001 CET53499588.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:09.404309988 CET5086053192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:09.458390951 CET53508608.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:11.257404089 CET5045253192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:11.316282988 CET53504528.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:12.615478992 CET5973053192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:12.664199114 CET53597308.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:17.166829109 CET5931053192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:17.393465996 CET53593108.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:19.701574087 CET5191953192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:19.751816988 CET53519198.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:35.698424101 CET6429653192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:35.756969929 CET53642968.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:37.144649982 CET5668053192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:37.156831980 CET5882053192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:37.194583893 CET53566808.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:37.218147993 CET53588208.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:39.933470964 CET6098353192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:39.986462116 CET53609838.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:50.250233889 CET4924753192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:50.470235109 CET53492478.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:52.268327951 CET5228653192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:52.326889038 CET53522868.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:57.225146055 CET5606453192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:57.453453064 CET53560648.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:05.064574003 CET6374453192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:05.124604940 CET53637448.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:11.557959080 CET6145753192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:11.619239092 CET53614578.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:14.104386091 CET5836753192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:14.164246082 CET53583678.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:14.823729992 CET6059953192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:14.880944014 CET53605998.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:15.617856026 CET5957153192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:15.668433905 CET53595718.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:16.447695971 CET5268953192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:16.506561041 CET53526898.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:16.961836100 CET5029053192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:17.023086071 CET53502908.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:17.515580893 CET6042753192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:17.567055941 CET53604278.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:19.216253996 CET5620953192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:19.273304939 CET53562098.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:19.680048943 CET5958253192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:19.737291098 CET53595828.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:20.464555025 CET6094953192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:20.524211884 CET53609498.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:21.624974012 CET5854253192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:21.673666954 CET53585428.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:22.570275068 CET5917953192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:22.629508018 CET53591798.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:23.264425993 CET6092753192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:23.312992096 CET53609278.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:25.127729893 CET5785453192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:25.187793970 CET53578548.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:31.232362986 CET6202653192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:31.459999084 CET53620268.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:38.460644007 CET5945353192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:38.522447109 CET53594538.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:41.938846111 CET6246853192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:41.987490892 CET53624688.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:44.666580915 CET5256353192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:44.715342045 CET53525638.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:52.423085928 CET5472153192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:52.484493017 CET53547218.8.8.8192.168.2.7

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  Feb 23, 2021 08:11:57.696343899 CET192.168.2.78.8.8.80x433Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:12:17.166829109 CET192.168.2.78.8.8.80xd7abStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:12:35.698424101 CET192.168.2.78.8.8.80x3462Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:12:50.250233889 CET192.168.2.78.8.8.80x992dStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:12:57.225146055 CET192.168.2.78.8.8.80xfb0bStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:05.064574003 CET192.168.2.78.8.8.80x28a8Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:11.557959080 CET192.168.2.78.8.8.80x1f5dStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:19.216253996 CET192.168.2.78.8.8.80x6412Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:25.127729893 CET192.168.2.78.8.8.80xafc5Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:31.232362986 CET192.168.2.78.8.8.80xb242Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:38.460644007 CET192.168.2.78.8.8.80x8293Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:44.666580915 CET192.168.2.78.8.8.80x1e5Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:52.423085928 CET192.168.2.78.8.8.80xbe7cStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  Feb 23, 2021 08:11:57.916781902 CET8.8.8.8192.168.2.70x433No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:12:17.393465996 CET8.8.8.8192.168.2.70xd7abNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:12:35.756969929 CET8.8.8.8192.168.2.70x3462No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:12:50.470235109 CET8.8.8.8192.168.2.70x992dNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:12:57.453453064 CET8.8.8.8192.168.2.70xfb0bNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:05.124604940 CET8.8.8.8192.168.2.70x28a8No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:11.619239092 CET8.8.8.8192.168.2.70x1f5dNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:19.273304939 CET8.8.8.8192.168.2.70x6412No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:25.187793970 CET8.8.8.8192.168.2.70xafc5No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:31.459999084 CET8.8.8.8192.168.2.70xb242No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:38.522447109 CET8.8.8.8192.168.2.70x8293No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:44.715342045 CET8.8.8.8192.168.2.70x1e5No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:52.484493017 CET8.8.8.8192.168.2.70xbe7cNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)

                                                                  Code Manipulations

                                                                  Statistics

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  Analysis Process: PAYMENT COPY.exe PID: 6392 Parent PID: 5664

                                                                  General

                                                                  Start time:08:11:48
                                                                  Start date:23/02/2021
                                                                  Path:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\PAYMENT COPY.exe'
                                                                  Imagebase:0x400000
                                                                  File size:332412 bytes
                                                                  MD5 hash:53E8C460446FE305DFC2159961AA6234
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  Reputation:low

                                                                  Analysis Process: PAYMENT COPY.exe PID: 6432 Parent PID: 6392

                                                                  General

                                                                  Start time:08:11:49
                                                                  Start date:23/02/2021
                                                                  Path:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\PAYMENT COPY.exe'
                                                                  Imagebase:0x400000
                                                                  File size:332412 bytes
                                                                  MD5 hash:53E8C460446FE305DFC2159961AA6234
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.500337236.0000000000730000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.500337236.0000000000730000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.499927530.00000000006C0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.499927530.00000000006C0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.500528462.0000000000780000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.500528462.0000000000780000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.505736368.000000000341C000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.500087557.00000000006E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.500087557.00000000006E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.500417911.0000000000750000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.500417911.0000000000750000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.501309782.0000000002391000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.499796910.00000000006B0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.499796910.00000000006B0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.500251784.0000000000710000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.500251784.0000000000710000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.499394347.0000000000660000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.499394347.0000000000660000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.500213366.0000000000700000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.500213366.0000000000700000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.500144000.00000000006F0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.500144000.00000000006F0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.499506090.0000000000680000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.499506090.0000000000680000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.499715879.00000000006A0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.499715879.00000000006A0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.504422573.00000000027A5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.401079389.0000000003861000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  Reputation:low

                                                                  Analysis Process: schtasks.exe PID: 6532 Parent PID: 6432

                                                                  General

                                                                  Start time:08:11:55
                                                                  Start date:23/02/2021
                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEEDF.tmp'
                                                                  Imagebase:0xe90000
                                                                  File size:185856 bytes
                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Analysis Process: conhost.exe PID: 6548 Parent PID: 6532

                                                                  General

                                                                  Start time:08:11:55
                                                                  Start date:23/02/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff774ee0000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Analysis Process: schtasks.exe PID: 6596 Parent PID: 6432

                                                                  General

                                                                  Start time:08:11:56
                                                                  Start date:23/02/2021
                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpF23B.tmp'
                                                                  Imagebase:0xe90000
                                                                  File size:185856 bytes
                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Analysis Process: conhost.exe PID: 6604 Parent PID: 6596

                                                                  General

                                                                  Start time:08:11:56
                                                                  Start date:23/02/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff774ee0000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Analysis Process: PAYMENT COPY.exe PID: 6612 Parent PID: 1104

                                                                  General

                                                                  Start time:08:11:56
                                                                  Start date:23/02/2021
                                                                  Path:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\PAYMENT COPY.exe' 0
                                                                  Imagebase:0x400000
                                                                  File size:332412 bytes
                                                                  MD5 hash:53E8C460446FE305DFC2159961AA6234
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  Reputation:low

                                                                  Analysis Process: PAYMENT COPY.exe PID: 6712 Parent PID: 6612

                                                                  General

                                                                  Start time:08:11:58
                                                                  Start date:23/02/2021
                                                                  Path:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\PAYMENT COPY.exe' 0
                                                                  Imagebase:0x400000
                                                                  File size:332412 bytes
                                                                  MD5 hash:53E8C460446FE305DFC2159961AA6234
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.278420831.0000000002460000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.278506705.000000000344C000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.278506705.000000000344C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.278355916.0000000002411000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  Reputation:low

                                                                  Analysis Process: dhcpmon.exe PID: 6744 Parent PID: 1104

                                                                  General

                                                                  Start time:08:11:58
                                                                  Start date:23/02/2021
                                                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                                                  Imagebase:0x400000
                                                                  File size:332412 bytes
                                                                  MD5 hash:53E8C460446FE305DFC2159961AA6234
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  • Detection: 35%, ReversingLabs
                                                                  Reputation:low

                                                                  Analysis Process: dhcpmon.exe PID: 5932 Parent PID: 3292

                                                                  General

                                                                  Start time:08:12:07
                                                                  Start date:23/02/2021
                                                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                                  Imagebase:0x400000
                                                                  File size:332412 bytes
                                                                  MD5 hash:53E8C460446FE305DFC2159961AA6234
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  Reputation:low

                                                                  Analysis Process: dhcpmon.exe PID: 2896 Parent PID: 5932

                                                                  General

                                                                  Start time:08:12:09
                                                                  Start date:23/02/2021
                                                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                                  Imagebase:0x400000
                                                                  File size:332412 bytes
                                                                  MD5 hash:53E8C460446FE305DFC2159961AA6234
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.298632979.00000000022E0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.298702640.00000000032CC000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.298702640.00000000032CC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.298587099.0000000002291000.00000004.00000001.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >