Analysis Report bbbe7872ea466446da60c4da50020cbb.exe

Overview

General Information

Sample Name: bbbe7872ea466446da60c4da50020cbb.exe
Analysis ID: 358272
MD5: 88ef84e623f21af8c30d3bba321a7448
SHA1: 701339b101c76fa1ba159c66b48ef2f9b6d73aa8
SHA256: 0095c39f2d6f62dea9fd6d066decab6f0a7acab87829f659efd01bc1d2564bd0
Tags: exeNanoCorenVpnRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "94----", "Group": "V-HASH", "Domain1": "cloudhost.myfirewall.org", "Domain2": "cloudhost.myfirewall.org", "Port": 5654, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "cloudhost.myfirewall.org", "BackupDNSServer": "cloudhost.myfirewall.org", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe ReversingLabs: Detection: 34%
Multi AV Scanner detection for submitted file
Source: bbbe7872ea466446da60c4da50020cbb.exe ReversingLabs: Detection: 34%
Yara detected Nanocore RAT
Source: Yara match File source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.381077094.0000000002D31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.391635582.0000000003001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6332, type: MEMORY
Source: Yara match File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996, type: MEMORY
Source: Yara match File source: 16.2.dhcpmon.exe.40530dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3adb170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.3d79c7e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.3d7eab4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.dhcpmon.exe.40c14a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3adb170.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.4049c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3df30dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.dhcpmon.exe.420b170.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.dhcpmon.exe.420b170.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.3d830dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.404eab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.dhcpmon.exe.411a0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.39914a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.404eab4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d130dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.3d7eab4.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.39ea0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: bbbe7872ea466446da60c4da50020cbb.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 14.2.dhcpmon.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.2.dhcpmon.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

barindex
Uses 32bit PE files
Source: bbbe7872ea466446da60c4da50020cbb.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses new MSVCR Dlls
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: bbbe7872ea466446da60c4da50020cbb.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbols
Source: Binary string: mscorrc.pdb source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348914863.0000000008030000.00000002.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.369455397.0000000007BC0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.372863219.0000000007CF0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.386840376.0000000007650000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_04F0D098
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 10_2_0296D098
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 11_2_02B0D0D8

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: cloudhost.myfirewall.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49712 -> 79.134.225.105:5654
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 79.134.225.105 79.134.225.105
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
Source: unknown DNS traffic detected: queries for: cloudhost.myfirewall.org
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.325630674.00000000051A9000.00000004.00000001.sdmp String found in binary or memory: http://en.w
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: dhcpmon.exe, dhcpmon.exe, 0000000E.00000002.378594437.0000000000502000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.371490717.0000000000042000.00000002.00020000.sdmp, dhcpmon.exe, 00000010.00000002.390560823.00000000008F2000.00000002.00020000.sdmp, bbbe7872ea466446da60c4da50020cbb.exe String found in binary or memory: http://inchat.kro.kr
Source: dhcpmon.exe, dhcpmon.exe, 0000000E.00000002.378594437.0000000000502000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.371490717.0000000000042000.00000002.00020000.sdmp, dhcpmon.exe, 00000010.00000002.390560823.00000000008F2000.00000002.00020000.sdmp, bbbe7872ea466446da60c4da50020cbb.exe String found in binary or memory: http://schooldb.inchat.kro.kr/
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.330244134.00000000051DD000.00000004.00000001.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329135863.00000000051A7000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329135863.00000000051A7000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com&
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com.
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comTC
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comTCw
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.como.
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comormD
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.333166545.00000000051D5000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.333166545.00000000051D5000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlo
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.332711004.00000000051D5000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.327774459.00000000051AB000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: dhcpmon.exe, dhcpmon.exe, 0000000E.00000002.378594437.0000000000502000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.371490717.0000000000042000.00000002.00020000.sdmp, dhcpmon.exe, 00000010.00000002.390560823.00000000008F2000.00000002.00020000.sdmp, bbbe7872ea466446da60c4da50020cbb.exe String found in binary or memory: http://www.gagalive.kr/livechat1.swf?chatroom=inchat-
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.334789389.00000000051D5000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329603375.00000000051A8000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/(
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329603375.00000000051A8000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp//
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329603375.00000000051A8000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/D
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329603375.00000000051A8000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/vvT
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cnp
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.343834467.0000000002D51000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.364695909.0000000002DF1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.367072310.0000000002F61000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.381077094.0000000002D31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.391635582.0000000003001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6332, type: MEMORY
Source: Yara match File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996, type: MEMORY
Source: Yara match File source: 16.2.dhcpmon.exe.40530dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3adb170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.3d79c7e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.3d7eab4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.dhcpmon.exe.40c14a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3adb170.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.4049c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3df30dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.dhcpmon.exe.420b170.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.dhcpmon.exe.420b170.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.3d830dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.404eab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.dhcpmon.exe.411a0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.39914a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.404eab4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d130dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.3d7eab4.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.39ea0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.381077094.0000000002D31000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.391635582.0000000003001000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6332, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6332, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dhcpmon.exe.40530dd.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.2d53ac8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.3adb170.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.3adb170.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.dhcpmon.exe.3d79c7e.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.3d79c7e.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.dhcpmon.exe.3d7eab4.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.dhcpmon.exe.40c14a0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dhcpmon.exe.40c14a0.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.2dc3b20.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.3adb170.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.3adb170.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dhcpmon.exe.4049c7e.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.4049c7e.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3df30dd.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.2cd1690.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dhcpmon.exe.420b170.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dhcpmon.exe.420b170.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.dhcpmon.exe.420b170.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dhcpmon.exe.420b170.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.dhcpmon.exe.3d830dd.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.404eab4.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.dhcpmon.exe.411a0c0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dhcpmon.exe.411a0c0.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.39914a0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.39914a0.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dhcpmon.exe.404eab4.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d130dd.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.dhcpmon.exe.3d7eab4.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dhcpmon.exe.3023ac8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.39ea0c0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.39ea0c0.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
.NET source code contains very large strings
Source: bbbe7872ea466446da60c4da50020cbb.exe, frmLogin.cs Long String: Length: 13656
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.590000.0.unpack, frmLogin.cs Long String: Length: 13656
Source: 0.0.bbbe7872ea466446da60c4da50020cbb.exe.590000.0.unpack, frmLogin.cs Long String: Length: 13656
Source: dhcpmon.exe.4.dr, frmLogin.cs Long String: Length: 13656
Source: 4.0.bbbe7872ea466446da60c4da50020cbb.exe.620000.0.unpack, frmLogin.cs Long String: Length: 13656
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.620000.1.unpack, frmLogin.cs Long String: Length: 13656
Source: 10.0.bbbe7872ea466446da60c4da50020cbb.exe.720000.0.unpack, frmLogin.cs Long String: Length: 13656
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.720000.0.unpack, frmLogin.cs Long String: Length: 13656
Source: 11.2.dhcpmon.exe.720000.0.unpack, frmLogin.cs Long String: Length: 13656
Detected potential crypto function
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 0_2_0059AC81 0_2_0059AC81
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 0_2_04F052D8 0_2_04F052D8
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 0_2_04F04890 0_2_04F04890
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 0_2_04F04688 0_2_04F04688
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 0_2_04F052C8 0_2_04F052C8
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 0_2_04F04678 0_2_04F04678
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 0_2_04F0C198 0_2_04F0C198
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 0_2_0059AF8E 0_2_0059AF8E
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 4_2_0062AC81 4_2_0062AC81
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 4_2_01117AC1 4_2_01117AC1
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 4_2_0062AF8E 4_2_0062AF8E
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 10_2_0072AC81 10_2_0072AC81
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 10_2_01072E09 10_2_01072E09
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 10_2_02964890 10_2_02964890
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 10_2_02964688 10_2_02964688
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 10_2_029652D8 10_2_029652D8
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 10_2_02964880 10_2_02964880
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 10_2_029652C8 10_2_029652C8
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 10_2_02964678 10_2_02964678
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 10_2_0296C198 10_2_0296C198
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 10_2_0072AF8E 10_2_0072AF8E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_00EC2E09 11_2_00EC2E09
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_02B04890 11_2_02B04890
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_02B04688 11_2_02B04688
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_02B052D8 11_2_02B052D8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_02B052C8 11_2_02B052C8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_02B04678 11_2_02B04678
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_02B0C198 11_2_02B0C198
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 12_2_0079AC81 12_2_0079AC81
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 12_2_04FD2FA8 12_2_04FD2FA8
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 12_2_04FD23A0 12_2_04FD23A0
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 12_2_04FD3850 12_2_04FD3850
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 12_2_04FD306F 12_2_04FD306F
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 12_2_0079AF8E 12_2_0079AF8E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_001FAC81 13_2_001FAC81
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 13_2_001FAF8E 13_2_001FAF8E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_0050AC81 14_2_0050AC81
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_04D423A0 14_2_04D423A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_04D42FA8 14_2_04D42FA8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_04D43850 14_2_04D43850
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_04D4306F 14_2_04D4306F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 14_2_0050AF8E 14_2_0050AF8E
Sample file is different than original file name gathered from version info
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.342613471.000000000060A000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSystemLazyDebugView.exe. vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.343834467.0000000002D51000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAsyncState.dllF vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348914863.0000000008030000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.349527090.00000000081F0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000000.340812552.000000000069A000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSystemLazyDebugView.exe. vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000000.350174572.000000000079A000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSystemLazyDebugView.exe. vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.370141196.0000000007D70000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.364695909.0000000002DF1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAsyncState.dllF vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.369455397.0000000007BC0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000C.00000000.353961165.000000000080A000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSystemLazyDebugView.exe. vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000C.00000002.378738155.00000000050F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe Binary or memory string: OriginalFilenameSystemLazyDebugView.exe. vs bbbe7872ea466446da60c4da50020cbb.exe
Uses 32bit PE files
Source: bbbe7872ea466446da60c4da50020cbb.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.381077094.0000000002D31000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.391635582.0000000003001000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6332, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6332, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.dhcpmon.exe.40530dd.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.40530dd.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dhcpmon.exe.2d53ac8.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.2d53ac8.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.3adb170.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.3adb170.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.3adb170.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.dhcpmon.exe.3d79c7e.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.3d79c7e.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dhcpmon.exe.3d79c7e.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.dhcpmon.exe.3d7eab4.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.3d7eab4.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.dhcpmon.exe.40c14a0.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.dhcpmon.exe.40c14a0.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.2dc3b20.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.2dc3b20.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.3adb170.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.3adb170.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.3adb170.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.dhcpmon.exe.4049c7e.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.4049c7e.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.dhcpmon.exe.4049c7e.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3df30dd.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3df30dd.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.2cd1690.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.2cd1690.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.dhcpmon.exe.420b170.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.dhcpmon.exe.420b170.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.dhcpmon.exe.420b170.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.dhcpmon.exe.420b170.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.dhcpmon.exe.420b170.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.dhcpmon.exe.420b170.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.dhcpmon.exe.3d830dd.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.3d830dd.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.dhcpmon.exe.404eab4.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.404eab4.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.dhcpmon.exe.411a0c0.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.dhcpmon.exe.411a0c0.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.39914a0.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.39914a0.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.dhcpmon.exe.404eab4.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.404eab4.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d130dd.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d130dd.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.dhcpmon.exe.3d7eab4.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.3d7eab4.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.dhcpmon.exe.3023ac8.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.3023ac8.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.39ea0c0.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.39ea0c0.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: bbbe7872ea466446da60c4da50020cbb.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: bbbe7872ea466446da60c4da50020cbb.exe, frmLogin.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.590000.0.unpack, frmLogin.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.0.bbbe7872ea466446da60c4da50020cbb.exe.590000.0.unpack, frmLogin.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: dhcpmon.exe.4.dr, frmLogin.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 4.0.bbbe7872ea466446da60c4da50020cbb.exe.620000.0.unpack, frmLogin.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.620000.1.unpack, frmLogin.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 10.0.bbbe7872ea466446da60c4da50020cbb.exe.720000.0.unpack, frmLogin.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.720000.0.unpack, frmLogin.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 11.2.dhcpmon.exe.720000.0.unpack, frmLogin.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: classification engine Classification label: mal100.troj.evad.winEXE@20/8@20/1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_051706DA AdjustTokenPrivileges, 11_2_051706DA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_051706A3 AdjustTokenPrivileges, 11_2_051706A3
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe File created: C:\Program Files (x86)\DHCP Monitor Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\bbbe7872ea466446da60c4da50020cbb.exe.log Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_01
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{d1470c94-c693-4be3-b7c3-884d57fb2b86}
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe File created: C:\Users\user\AppData\Local\Temp\tmp7E95.tmp Jump to behavior
Source: bbbe7872ea466446da60c4da50020cbb.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.343834467.0000000002D51000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.364695909.0000000002DF1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.367072310.0000000002F61000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.343834467.0000000002D51000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.364695909.0000000002DF1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.367072310.0000000002F61000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: bbbe7872ea466446da60c4da50020cbb.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe File read: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe 'C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe'
Source: unknown Process created: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7E95.tmp'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp81B3.tmp'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe 0
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown Process created: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process created: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7E95.tmp' Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp81B3.tmp' Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process created: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: bbbe7872ea466446da60c4da50020cbb.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: bbbe7872ea466446da60c4da50020cbb.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: mscorrc.pdb source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348914863.0000000008030000.00000002.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.369455397.0000000007BC0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.372863219.0000000007CF0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.386840376.0000000007650000.00000002.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 0_2_04F08420 pushad ; iretd 0_2_04F08421
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 4_2_0111AD35 push cs; retf 4_2_0111AD4B
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 4_2_01119D74 push eax; retf 4_2_01119D75
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 4_2_01119D78 pushad ; retf 4_2_01119D79
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 4_2_0111ADA9 push cs; retf 4_2_0111ADBF
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 4_2_011174B8 push ebp; ret 4_2_011174B9
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 4_2_011174AC push ecx; ret 4_2_011174AD
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 4_2_0111ACC1 push cs; retf 4_2_0111ACD7
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 10_2_02968420 pushad ; iretd 10_2_02968421
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 11_2_02B08420 pushad ; iretd 11_2_02B08421
Source: initial sample Static PE information: section name: .text entropy: 7.59845021391
Source: initial sample Static PE information: section name: .text entropy: 7.59845021391
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7E95.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe File opened: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 0000000A.00000002.364695909.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.343834467.0000000002D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.367072310.0000000002F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5656, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6084, type: MEMORY
Source: Yara match File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 5620, type: MEMORY
Source: Yara match File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6780, type: MEMORY
Source: Yara match File source: 15.2.dhcpmon.exe.28588ac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.2d78900.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.2e18918.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.dhcpmon.exe.2f888c4.1.raw.unpack, type: UNPACKEDPE
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.343834467.0000000002D51000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.364695909.0000000002DF1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.367072310.0000000002F61000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.343834467.0000000002D51000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.364695909.0000000002DF1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.367072310.0000000002F61000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Window / User API: foregroundWindowGot 894 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 6784 Thread sleep time: -103297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 6808 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 3912 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 3912 Thread sleep count: 174 > 30 Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 3912 Thread sleep count: 271 > 30 Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 4876 Thread sleep count: 296 > 30 Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 492 Thread sleep time: -220000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 4828 Thread sleep time: -99751s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 4064 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4704 Thread sleep time: -100504s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4532 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 6328 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6024 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5960 Thread sleep time: -103946s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5720 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4744 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp Binary or memory string: vmware
Source: dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Memory written: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Memory written: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process created: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7E95.tmp' Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp81B3.tmp' Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Process created: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to behavior
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.597421773.0000000002F4B000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.594434140.0000000001360000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.594434140.0000000001360000.00000002.00000001.sdmp Binary or memory string: Progman
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.594434140.0000000001360000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.597421773.0000000002F4B000.00000004.00000001.sdmp Binary or memory string: Program Managerv
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.594434140.0000000001360000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Code function: 4_2_0110AF9A GetUserNameW, 4_2_0110AF9A
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.381077094.0000000002D31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.391635582.0000000003001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6332, type: MEMORY
Source: Yara match File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996, type: MEMORY
Source: Yara match File source: 16.2.dhcpmon.exe.40530dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3adb170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.3d79c7e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.3d7eab4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.dhcpmon.exe.40c14a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3adb170.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.4049c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3df30dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.dhcpmon.exe.420b170.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.dhcpmon.exe.420b170.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.3d830dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.404eab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.dhcpmon.exe.411a0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.39914a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.404eab4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d130dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.3d7eab4.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.39ea0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.381077094.0000000002D31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.391635582.0000000003001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6332, type: MEMORY
Source: Yara match File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996, type: MEMORY
Source: Yara match File source: 16.2.dhcpmon.exe.40530dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3adb170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.3d79c7e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.3d7eab4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.dhcpmon.exe.40c14a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3adb170.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.4049c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3df30dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.dhcpmon.exe.420b170.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.dhcpmon.exe.420b170.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.3d830dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.404eab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.dhcpmon.exe.411a0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.39914a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.404eab4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d130dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.3d7eab4.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.39ea0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 358272 Sample: bbbe7872ea466446da60c4da500... Startdate: 25/02/2021 Architecture: WINDOWS Score: 100 50 cloudhost.myfirewall.org 2->50 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 13 other signatures 2->60 9 bbbe7872ea466446da60c4da50020cbb.exe 3 2->9         started        13 dhcpmon.exe 3 2->13         started        15 bbbe7872ea466446da60c4da50020cbb.exe 2 2->15         started        17 dhcpmon.exe 2 2->17         started        signatures3 process4 file5 48 bbbe7872ea466446da60c4da50020cbb.exe.log, ASCII 9->48 dropped 64 Injects a PE file into a foreign processes 9->64 19 bbbe7872ea466446da60c4da50020cbb.exe 1 14 9->19         started        24 dhcpmon.exe 2 13->24         started        26 dhcpmon.exe 13->26         started        28 bbbe7872ea466446da60c4da50020cbb.exe 2 15->28         started        30 dhcpmon.exe 17->30         started        signatures6 process7 dnsIp8 52 cloudhost.myfirewall.org 79.134.225.105, 49712, 49713, 49714 FINK-TELECOM-SERVICESCH Switzerland 19->52 40 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->40 dropped 42 C:\Users\user\AppData\Roaming\...\run.dat, data 19->42 dropped 44 C:\Users\user\AppData\Local\...\tmp7E95.tmp, XML 19->44 dropped 46 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->46 dropped 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->62 32 schtasks.exe 1 19->32         started        34 schtasks.exe 1 19->34         started        file9 signatures10 process11 process12 36 conhost.exe 32->36         started        38 conhost.exe 34->38         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
79.134.225.105
 unknown Switzerland
6775 FINK-TELECOM-SERVICESCH true

Contacted Domains

Name IP Active
cloudhost.myfirewall.org 79.134.225.105 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
cloudhost.myfirewall.org true
  • Avira URL Cloud: safe
 unknown